The Qilin ransomware group is exploiting two critical Fortinet vulnerabilities that allow attackers to bypass authentication and execute remote code on vulnerable systems. Read this Cybersecurity Threat Advisory to discover the tactics used and the best practices you can implement to prevent exploitation.
What is the threat?
Qilin, also known as Phantom Mantis, emerged in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the name “Agenda.” Since its inception, the group has claimed responsibility for attacks on over 310 victims. The latest attack campaign specifically targets known vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, as well as other security flaws found in FortiGate appliances. These vulnerabilities serve as critical entry points, enabling attackers to breach network perimeters and initiate ransomware deployment within the affected environments.
Why is this noteworthy?
Unlike traditional ransomware, which often focuses merely on encrypting data for ransom, Qilin ransomware group adds a layer of sophistication with its targeted exploits on specific technologies and infrastructure. The tactics observed in this campaign reflect a high level of sophistication, particularly in the identification and exploitation of vulnerabilities in network security appliances—highlighting the increasing technical capabilities of modern ransomware operators. The attackers exploit specific flaws in FortiGate’s authentication and session management mechanisms to gain unauthorized access and maintain persistent footholds within compromised environments—marking a significant advancement in ransomware deployment tactics.
What is the exposure or risk?
Attackers exploit these FortiGate vulnerabilities to bypass perimeter security controls and gain elevated access to internal network segments that typically shield against external threats. In addition to immediate financial losses, these attacks expose organizations to regulatory scrutiny, prolonged operational disruptions, and significant reputational harm. By targeting critical network infrastructure, attackers demonstrate a deep understanding of enterprise security architectures, particularly their ability to identify and exploit single points of failure within complex environments. Organizations must take proactive steps to fortify their defenses against such threats.
What are the recommendations?
Barracuda recommends the following actions to keep your environment protected against this new campaign:
- Apply all relevant patches and updates to known vulnerabilities, especially with network security solutions.
- Disable or restrict access to the administrative interface using local-in policies and ensure firewall management interfaces are not accessible via public internet.
- Monitor logs for unauthorized logins, rogue account creation, and unexpected policy changes.
- Disable SSL-VPN functionality if relevant patches are not applied yet.
Reference
For more in-depth information about the recommendations, please visit the following link:
- https://cybersecuritynews.com/hackers-actively-exploiting-fortigate-vulnerabilities/
- https://www.msn.com/en-us/news/technology/fortinet-exploits-used-in-new-qilin-ransomware-attacks-revealed/ar-AA1Gpfrs
- https://www.bleepingcomputer.com/news/security/critical-fortinet-flaws-now-exploited-in-qilin-ransomware-attacks/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.