Código HTML do Conteúdo

Post: Spike in Fortinet VPN brute-force attacks raises zero-day concerns

<div> <div> <p>A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures.</p> <p>The campaign, detected by threat monitoring platform GreyNoise, manifested in two waves, on August 3 and August 5, with the second wave pivoting to FortiManager targeting with a different TCP signature.</p> <p>As GreyNoise <a href="https://www.bleepingcomputer.com/news/security/spikes-in-malicious-activity-precede-new-cves-in-80-percent-of-cases/" rel="nofollow noopener" target="_blank">previously reported</a>, such spikes in deliberate scanning and brute-forcing precede the disclosure of new security vulnerabilities 80% of the time.</p> <p>Often, such scans aim at enumerating exposed endpoints, evaluating their significance, and estimating their exploitation potential, with actual attack waves following shortly after.</p> <p>&ldquo;New research shows spikes like this often precede the disclosure of new vulnerabilities affecting the same vendor &mdash; most within six weeks,&rdquo; warned GreyNoise.</p> <p>&ldquo;In fact, GreyNoise found that spikes in activity triggering this exact tag are significantly correlated with future disclosed vulnerabilities in Fortinet products.&rdquo;</p> <p>Due to this, defenders shouldn&rsquo;t dismiss those spikes in activity as failed attempts to exploit old, patched flaws, but rather treat them as potential precursors to zero-day disclosure and strengthen security measures to block them.</p> <h2>The Fortinet brute-force attacks</h2> <p>On August 3, 2025, GreyNoise recorded a spike in brute-forcing attempts targeting Fortinet SSL VPN as part of a steady activity it has been monitoring since earlier.</p> <p>JA4+ fingerprint analysis,a network fingerprinting method for identifying and classifying encrypted traffic, linked the spike to June activity originating from a FortiGate device on a residential IP address associated with Pilot Fiber Inc.</p> <p>&ldquo;This overlap doesn&rsquo;t confirm attribution, but it suggests possible reuse of tooling or network environments,&rdquo; <a href="https://www.greynoise.io/blog/vulnerability-fortinet-vpn-bruteforce-spike" rel="nofollow noopener" target="_blank">commented GreyNoise</a> in its bulletin.</p> <div> <p><img decoding="async" alt="Activity spike on August 3" height="600" src="https://datalake.azaeo.com/wp-content/uploads/2025/08/spike.jpg" width="1129 /&gt;&lt;/div&gt; &lt;p&gt;Two days later, on August 5, a new brute-force campaign from the same attacker emerged,which switched targeting from FortiOS SSL VPN endpoints to FortiManager's FGFM service.&lt;/p&gt; &lt;p&gt;">FortiOS profile, traffic fingerprinted with TCP and client signatures &mdash; a meta signature &mdash; from August 5 onward was not hitting<em>FortiOS</em>,&rdquo; explained GreyNoise.</p> <p>&ldquo;Instead, it was consistently targeting our<em>FortiManager &ndash; FGFM</em> profile albeit still triggering our Fortinet SSL VPN Bruteforcer tag.&rdquo;</p> <p>This shift suggested that either the same attackers or the same toolset/infrastructure moved from trying to brute-force VPN logins to trying to brute-force FortiManager access.</p> <p>The IP addresses associated with this activity, and which should be placed on blocklists, are:</p> <ul> <li>31.206.51.194</li> <li>23.120.100.230</li> <li>96.67.212.83</li> <li>104.129.137.162</li> <li>118.97.151.34</li> <li>180.254.147.16</li> <li>20.207.197.237</li> <li>180.254.155.227</li> <li>185.77.225.174</li> <li>45.227.254.113</li> </ul> <p>GreyNoise notes that the tracked malicious activity is evolving with time and is associated with a specific origin cluster that most likely performs adaptive testing.</p> <p>In general, this activity is unlikely to be researcher scans, which are typically broader in scope and limited in rate, and wouldn&rsquo;t involve credential brute-forcing, which is seen as an apparent intrusion attempt.</p> <p>Hence, defenders should block the listed IPs, increase login protection on Fortinet devices, and harden external access where possible, restricting access only to trusted IP ranges and VPNs.</p> <p><a href="https://hubs.li/Q03B5Kw_0" rel="noopener sponsored" target="_blank"><br /> <img decoding="async" alt="Picus Blue Report 2025" src="https://datalake.azaeo.com/wp-content/uploads/2025/08/blue-report-2025.jpg"><br /> </a> </p> </div> </div></div>