Cybersecurity researchers are calling attention to a new campaign where threat actors are abusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victim networks.
The activity involves the exploitation of recently disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology
The security outfit said the campaign has singled out environments tied to healthcare, government, and managed service providers.
"FortiGate network appliances have considerable access to the environments they were installed to protect," security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne said .
"In many configurations, this includes service accounts which are connected to the authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP)."
"This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that’s being analyzed and correlating with the Directory information, which is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device."