The digital perimeter of enterprise networks is under constant siege, and even the most robust security solutions can become targets. Recent intelligence reveals a concerning wave of attacks leveraging critical vulnerabilities in FortiGate Next-Generation Firewalls (NGFWs). These sophisticated intrusions, first intercepted in early 2024, aimed to establish persistent footholds and steal credentials, highlighting a critical need for immediate action and heightened vigilance among IT professionals and security analysts.

SentinelOne’s swift response, uncovering these incidents during the lateral movement phase, prevented attackers from fully achieving their objectives. However, the attacks underscore a recurring theme: nation-state actors and advanced persistent threats (APTs) are increasingly focusing on exploiting perimeter defenses to gain initial access.

Understanding the Attack Vector: Exploiting FortiGate Firewalls

The core of these recent intrusions revolves around the exploitation of high-severity vulnerabilities within Fortinet’s FortiGate NGFWs. Firewalls, designed to be the first line of defense, become attractive targets due to their privileged network position and the potential for deep access once breached. Threat actors, in this wave of attacks, specifically targeted these devices to:

• Establish initial access and maintain a persistent presence within the compromised network.
• Move laterally across the network, seeking out valuable assets and data.
• Exfiltrate sensitive credentials, often a precursor to further, more damaging attacks.

While the specific vulnerabilities leveraged in the early 2024 attacks are not fully detailed in the immediate source, SentinelOne’s analysis closely tracked three high-severity Fortinet vulnerabilities disclosed between December [sic – implied previous disclosure, but specific CVEs and dates not provided in source beyond “between December”]. This strongly suggests that the attackers were capitalizing on known, unpatched flaws. This highlights the critical importance of timely patching and vulnerability management.

The Lateral Movement Phase: A Critical Interception Window

A crucial aspect of SentinelOne’s success in mitigating these intrusions was the interception of the attackers during the lateral movement phase. This stage occurs after initial access has been gained, but before the adversaries have fully achieved their ultimate objectives (e.g., data exfiltration, system destruction). This highlights:

• The importance of robust internal network monitoring and threat detection capabilities, beyond just perimeter security.
• The value of Security Information and Event Management (SIEM) systems and Extended Detection and Response (XDR) platforms in correlating anomalous activities across the network.
• The need for security playbooks and incident response plans to quickly react to and contain threats during sensitive phases of an attack.

Intercepting attackers at this stage allows organizations to minimize damage, understand the full scope of the breach, and effectively remediate the compromised systems without facing the full impact of an advanced attack.

Remediation Actions and Proactive Defense

Given the severity of these attacks and the critical role FortiGate firewalls play in network security, immediate and proactive measures are paramount. Organizations leveraging FortiGate devices must prioritize the following:

• Patch Management: Proactively and consistently apply all security patches and firmware updates released by Fortinet. This is the single most effective defense against known vulnerabilities. Specifically, monitor Fortinet’s security advisories for patches related to publicly disclosed CVEs.
• Vulnerability Scanning: Regularly scan your external and internal network for known vulnerabilities, particularly focusing on internet-facing devices like firewalls. Employ both authenticated and unauthenticated scans to get a comprehensive view of your attack surface.
• Configuration Hardening: Follow Fortinet’s best practices for securing FortiGate devices. This includes disabling unnecessary services, implementing strong access controls, and using multi-factor authentication (MFA) for all administrative interfaces.
• Network Segmentation: Implement strong network segmentation to limit lateral movement if a breach occurs. Isolate critical assets and servers from less sensitive parts of the network.
• Logging and Monitoring: Ensure comprehensive logging is enabled on all FortiGate devices and that these logs are continuously monitored for suspicious activity. Integrate firewall logs with your SIEM or XDR solution for centralized analysis and alerting.
• Threat Intelligence: Stay informed about the latest threat intelligence, especially regarding attacker tactics, techniques, and procedures (TTPs) targeting network perimeter devices.
• Incident Response Planning: Develop and regularly test your incident response plan to ensure your team can quickly detect, contain, eradicate, and recover from a security incident.

Relevant Tools for Detection and Mitigation

Tool Name	Purpose	Link
FortiManager	Centralized management and deployment of FortiGate configurations and patches.	FortiManager
Nessus (Tenable Vulnerability Scanner)	Vulnerability scanning for identifying unpatched systems and misconfigurations.	Nessus
Qualys VMDR	Comprehensive vulnerability management, detection, and response.	Qualys VMDR
Splunk Enterprise Security	SIEM for log aggregation, correlation, and real-time security monitoring.	Splunk ES
SentinelOne Singularity Platform	XDR for endpoint, cloud, and identity threat detection and response.	SentinelOne Singularity

Key Takeaways for a Resilient Defense

The exploitation of FortiGate firewalls in this recent attack wave serves as a stark reminder: even mature security technologies require constant attention and proactive management. Organizations must move beyond basic perimeter defense and adopt a multi-layered security strategy that includes robust vulnerability management, continuous monitoring, and a well-defined incident response capability. The fight against sophisticated adversaries is ongoing, and staying ahead requires diligence, constant vigilance, and a commitment to maintaining a strong security posture.