When firewalls become master keys for intrusions

The safety of the network is no longer just a matter of blocking ports and filtering traffic: devices that are placed on the perimeter, such as new generation firewalls (NGFW), have become doors of entry coveted by the attackers. Recently, security researchers have documented a campaign in which malicious actors have targeted FortiGate devices to open the way to victim networks, obtain credentials of service accounts and, from there, move laterally within critical infrastructure. The detailed analysis is available in the report of SentinelOne, which describes how these intrusions take advantage of reported vulnerabilities and weak configurations.

A key aspect that researchers explain is the privileged role that well-configured NGFW play: in addition to inspecting and filtering traffic, many are integrated with authentication services such as Active Directory (AD) or LDAP to map users, implement role policies and accelerate incident responses. This same integration, when it falls into the wrong hands, becomes a direct step towards the most sensitive assets of an organization. As the authors of the report point out, access to service account credentials can allow automated authentication against the corporate directory and operations that would be impossible from a standard account.

The observed modus operandi includes taking advantage of known failures in the firmware itself or in the exposure of weak administrative credentials to extract the configuration file from the device. In at least one documented incident, the attackers managed to create a local administrative account called "support" and set up firewall rules that allowed that circular account between network areas without restrictions. This behavior is typical of what the so-called initial access brokers do: establish and maintain persistent and marketable access until other criminals buy it or use it to deploy harmful charges.

The chronology of the attack shows how a first intrusion can spend months being silent: after maintaining access, the adversaries returned to the device months later and removed the configuration containing encrypted credentials of LDAP services. According to SentinelOne, there was evidence that these credentials were recovered in clear text and used to authenticate to the AD with the "fortidcagent" service account. With this level of privilege, the attackers were able to register fraudulent workstations in the domain, run network sweeps and, in other cases, deploy remote access tools such as Pulseway and MeshAgit to maintain remote control. The report also documents the download of malware from cloud storage using PowerShell and the execution of a Java charge by DLL side-loading that exfiltered the AD database (NTDS.dit) and the SYSTEM branch of the registry to an external server (indicator cited: "172.67.196 [.] 232" over port 443).

The fact that the attacker was able to extract data from NTDS.dit is particularly serious: this file stores hashes and critical objects of the domain, and its theft facilitates the raising of passwords, the escalation of privileges and the preparation of subsequent campaigns such as the deployment of ansomware or the theft of large-scale information. Microsoft explains the sensitivity of the file and why its integrity and confidentiality are fundamental in the management of Active Directory in the technical documentation of the directory service ( Active Directory: NTDS.DIT).

These types of incidents not only illustrate the technical risk, but also the chain of consequences: a device designed to protect the network can become a lever to control it if it is not applied to patches, if its credentials are not adequately protected, or if it is granted excessive permits. Fortinet publishes safety notices and patches for its products on its official safety notices page, and keeping firmware up to date is one of the first lines of defense ( Fortinet Security Advisories).

What should organizations do to reduce risk? First, apply patches with priority on edge devices and monitor changes in settings. It is also crucial to reduce the scope and privileges of the service accounts used by the network equipment: if a device account can be authenticated against AD with extensive permits, its commitment has a much greater impact. It is also appropriate to segregate administrative functions, limit the exposure of management interfaces to trust networks or VPNs, and continuously audit access and the creation of privileged accounts. All this is complemented by the rotation and protection of keys and passwords, the implementation of MFA where possible and the monitoring of suspicious outflow to third-party infrastructure.

The lesson is clear: NGFW bring value because they know the network and can act with context, but that visibility should not become a single master key. Organizations that depend on these teams should treat them with the same rigour as they apply to critical servers: fast patches, minimum configurations, service roles with limited privileges and specialized monitoring. The security community and suppliers have already shown that the attackers point to these elements; the practical response goes by reducing the surface of attack and having procedures of detection and response tuned for when, inevitably, someone gets past the first barrier.

The technical details of the case and additional recommendations are in the SentinelOne report, and the Fortinet notices provide the necessary information to identify and correct errors in specific versions. Protecting the network's entry door today requires not only good products, but diligent maintenance and an architecture that assumes that any device can be compromised and that limits the damage if that happens.