Security experts recommend immediate patching of all Fortinet devices, monitoring for WebSocket handshake requests to suspicious endpoints, and reviewing historical logs for signs of exploitation attempts using these now-exposed techniques. The infrastructure, which security researchers have attributed to the RedGolf threat group (overlapping with APT41), was accessible for less than 24 hours before being secured, providing a rare glimpse into advanced persistent threat operations aimed at critical network infrastructure. The exposed server at IP 45.77.34[.]88 revealed multiple exploit scripts targeting vulnerabilities in Fortinet devices, including what appears to be tools leveraging CVE-2024-23108 and CVE-2024-23109. One such script, identified as “1.py,” systematically probes potential targets for Fortinet login portals and extracts version-specific JavaScript hash values that can be used to determine exploit compatibility. A server briefly linked to the notorious KeyPlug malware has inadvertently exposed a comprehensive arsenal of exploitation tools specifically designed to target Fortinet firewall and VPN appliances. The brief exposure underscores the sophisticated capabilities of the threat actor and their focus on high-value network security devices. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. A more aggressive exploit tool named “ws_test.py” demonstrated functionality for bypassing Fortinet authentication by spoofing local traffic. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Hunt.io researchers noted that the server shared a WolfSSL-issued TLS certificate with five additional servers, all hosted on Vultr, creating a traceable pattern of infrastructure. The webshell reads encrypted payloads directly from HTTP POST bodies, decrypts them in memory, and executes commands dynamically, leaving minimal evidence on disk or in logs. Their AttackCapture™ system indexed the server during its brief exposure, preserving critical evidence that might otherwise have been lost when the misconfiguration was corrected. This bypass technique, when successful, allows execution of privileged commands such as “show full-configuration” without any authentication, potentially compromising the entire device. Reconnaissance output files revealed nearly one hundred domains associated with the company, including login portals, development environments, and identity providers. The analysis revealed a particularly sophisticated PHP-based webshell called “bx.php” that uses encryption to hide command execution. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. These exploits specifically abuse unauthenticated WebSocket endpoints in FortiOS to execute privileged CLI commands, potentially giving attackers complete control over targeted appliances. Among the most concerning findings were Python-based reconnaissance scripts designed to scan for and fingerprint Fortinet devices.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Apr 2025 16:35:13 +0000