SentinelOne DFIR investigated multiple incidents in early 2026 where attackers compromised FortiGate Next-Generation Firewall appliances to gain initial access into enterprise environments. Exploitation of Fortinet vulnerabilities allowed attackers to extract configuration files containing encrypted service account credentials. Once decrypted, these credentials were used to authenticate to AD and establish deeper access. Threat actors created rogue domain workstations, deployed remote management tools, and attempted credential harvesting from domain controllers. The activity demonstrates how compromised network edge devices can become a pivot point for full domain compromise and data exfiltration.
Severity: Critical
Threat Details
Incident 1: Stealthy Persistence & Rogue Workstations
- Initial Access: Attackers gained administrative access to FortiGate appliances primarily through SSO authentication vulnerabilities and weak credential exposure.
Likely occurred in late November 2025. The attacker created a local admin account named “support” and 4 new firewall policies to maintain a foothold.
- Credential Harvesting: In February 2026, the actor decrypted the FortiGate configuration to steal fortidcagent LDAP credentials.
- Lateral Movement: The attacker joined two rogue workstations (WIN-X8WRBOSKOOF and WIN-YRSXLEONJY2) to the AD using the mS-DS-MachineAccountQuota attribute.
- Discovery: Used SoftPerfect Network Scanner for enumeration and attempted password spraying from the appliance IP.
Incident 2: Rapid Escalation & Data Theft
- Initial Access: Attackers accessed the organization’s FortiGate appliance and created a local admin account named ssl-admin.
- Credential Harvesting: Stole Domain Administrator credentials from the configuration file.
- Execution & Persistence:
- Logged into servers via RDP within 10 minutes of initial access.
- Deployed RMM tools Pulseway and MeshAgent to establish a deeper foothold.
- Used DLL side-loading (masking malware as Java files) to execute payloads.
- Exfiltration: Created a Volume Shadow Copy of the Primary Domain Controller to extract the NTDS.dit file and SYSTEM registry hive, likely exfiltrating them via a Cloudflare-owned IP.
Vulnerabilities & Exploitation Methods
| CVE | Description |
| CVE-2025-59718 / 59719 | SSO mechanisms fail to validate signatures, allowing unauthenticated admin access via crafted tokens. |
| CVE-2026-24858 | Allows login to devices with FortiCloud SSO enabled using an attacker’s account. |
| Weak Credentials | Actors scan for open instances to log in using common or weak passwords. |
| Reversible Encryption | FortiOS configuration files use reversible encryption, allowing attackers to view embedded service account passwords. |
Recommendations
- Organizations should ensure that all FortiGate appliances are running the latest firmware versions and immediately apply patches for vulnerabilities associated with the attack, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858.
- Alert on Log ID 0100032095, which signals that the system configuration file containing sensitive service account credentials has been exported.
- Search for Log ID 0100032001 (successful SSO admin login) and verify if the usernames match known malicious patterns like cloud-init[@]mail[.]io or cloud-noc[@]mail[.]io.
- Alert on Log ID 0100044547 (object attribute configured) where the configuration path is user.local or system.admin, as attackers often create “backdoor” accounts like support or ssl-admin.
- Analyze VPN Tunnel Logs: Correlate Log ID 0101039424 (SSL VPN up) or Log ID 0101037138 (IPsec tunnel up) with the remip field to identify the attacker’s source IP for further tracking.
- Monitor for Windows Event ID 4741 (Computer account created). This is a high-fidelity alert if the Subject: Security ID matches a FortiGate LDAP service account rather than a legitimate admin.
- Audit Directory Service Changes: Enable advanced auditing to watch for Event ID 5136, which can show missing Service Principal Names (SPNs) or modified User Account Control (UAC) values, indicators of automated tools like Impacket.
- Identify Malicious Computer Objects: Regularly query AD for new computer objects where the mS-DS-CreatorSID belongs to the Fortinet LDAP service account or where SPNs are suspiciously absent.
- Look for the use of WMIC to create Volume Shadow Copies.
- Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/6105363c88b239ab97e6876eb0967261cb7be0d9aef706d9f93828215b34d65c/iocs
IOCs
| Domain: | ndibstersoft[.]com |
| Domain: | neremedysoft[.]com |
| Domain: | fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com |
| IP: | 185.156.73[.]62 |
| IP: | 185.242.246[.]127 |
| IP: | 193.24.211[.]61 |
| URL: | hxxps://fastdlvrss[.]s3[.]us-east-1[.]amazonaws[.]com/paswr.zip |
| URL: | hxxps://storage.googleapis[.]com/apply-main/windows_agent_x64[.]msi |
Mitre Att&Ck
| Tactic | Technique | ID |
| Initial Access | Exploit Public-Facing Application | T1190 |
| Initial Access | Valid Accounts | T1078 |
| Persistence | Create Account | T1136 |
| Persistence | Scheduled Task/Job: Scheduled Task | T1053.005 |
| Privilege Escalation | Domain Accounts | T1078.002 |
| Defense Evasion | Obfuscated/Compressed Files | T1027 |
| Defense Evasion | Hijack Execution Flow: DLL | T1574.002 |
| Defense Evasion | Impair Defenses | T1562.001 |
| Discovery | Network Service Scanning | T1046 |
| Discovery | Account Discovery | T1087 |
| Lateral Movement | Remote Services: Remote Desktop Protocol | T1021.001 |
| Execution | Service Execution | T1569.002 |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 |
| Command and Control | Ingress Tool Transfer | T1105 |
| Credential Access | OS Credential Dumping: NTDS | T1003.003 |
| Credential Access | Credential Dumping | T1003 |
| Collection | Data from Local System | T1005 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
Source:
- https://www.sentinelone.com/blog/fortigate-edge-intrusions/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.