{
	"id": "6a4d6ec1-2e9f-4084-af63-9c61c56172dc",
	"created_at": "2026-04-29T02:20:25.560749Z",
	"updated_at": "2026-04-29T08:21:55.566809Z",
	"deleted_at": null,
	"sha1_hash": "21c3ca3c9daf24e3cc150328b323df0d5c4ba86f",
	"title": "Exposed Fortinet Fortigate firewall interface leads to LockBit Ransomware (CVE-2024–55591)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1342894,
	"plain_text": "Exposed Fortinet Fortigate firewall interface leads to LockBit\r\nRansomware (CVE-2024–55591)\r\nBy InTheCyber\r\nPublished: 2025-11-06 · Archived: 2026-04-29 02:07:47 UTC\r\n10 min read\r\nOct 30, 2025\r\nAuthors: Marco Pedrinazzi (@pedrinazziM), Tommaso Tosi (@_tosto_), Davide Negri\r\nSummary\r\nInTheCyber got engaged in an incident response activity by an enterprise victim of LockBit3.0. The victim had no\r\nmonitoring solution in place. Most of the logs on critical systems to analyze got encrypted by the threat actor and\r\nweak log retention policies did not allow us to reconstruct some dynamics of the attack.\r\nPhase 1: Exploitation of CVE-2024–55591 (Days 1–6)\r\nDay 1: The attacker (TA) exploited CVE-2024–55591 to bypass authentication and gain super-admin\r\naccess to a Fortinet Fortigate Firewall.\r\nDays 2–4: The TA created multiple admin accounts with VPN access, configured firewall rules for\r\nunrestricted access, then deleted and recreated them to evade detection.\r\nDay 5: The TA tested VPN access for 2 minutes.\r\nDay 6: The TA erased traces of previous actions.\r\nPhase 2: A new threat actor? (Days 7–8)\r\nDay 7: A new attacker (likely an access broker’s buyer) used an existing VPN-enabled account to infiltrate\r\nthe network without brute force. Due to weak segmentation, the TA could move laterally across systems.\r\nUsed RDP to access domain controllers, backup servers (Veeam), and key machines, and then, the TA\r\nextracted stored credentials from Firefox browser data. Gained cloud access and modified MFA settings\r\nfor persistence.\r\nDay 8: The TA initiated their actions on Day 8 by dumping operating system credentials through access\r\nto the NTDS.dit file, a critical Active Directory database often targeted for credential theft. They\r\nproceeded to disable the Endpoint Detection and Response (EDR) system’s anti-ransomware features\r\nand manipulated alert settings to evade detection. Following this, they compromised multiple Office365\r\naccounts, escalated privileges to Global Administrator and then unauthorized access to SharePoint files\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 1 of 12\n\ncontaining stored passwords. Finally, the attacker destroyed backups stored on local NAS devices and\r\ncloud platforms via Azure App and then they encrypted virtual machines, causing significant operational\r\nimpact and data loss.\r\nAnalysis\r\nPress enter or click to view image in full size\r\nRansom Note\r\nPhase 1: Exploitation of CVE-2024–55591\r\nThis stage is related to days from 1 to 6 of the attack.\r\nDay 1\r\nInitial access — Exposed FW management leads to authentication bypass and a new super admin\r\nOn day 1, the TA created a new super-admin account by exploiting CVE-2024–55591. This vulnerability allowed\r\nthe TA to bypass authentication using an alternate path or channel vulnerability affecting FortiOS and gain super-admin privileges via crafted requests to the Node.js web socket module. The threat actor exploited this\r\nvulnerability since the firewall’s management console was exposed to the Internet.\r\nDay 2, 3, 4, 5 and 6\r\nPersistence — A new admin accounts with VPN access\r\nOn day 2, the super-admin account created by the threat actor created 5 local users and added them to the ADMIN\r\ngroup. The local user’s name is a 6-character string made of random characters.\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 2 of 12\n\nOn day 3, the super-admin account created by the threat actor added a new local user following the same pattern\r\nas on day 2 but granting the user VPN access. In particular the threat actor,\r\nAdds user.local \u003cREDACTED\u003e\r\nAdds a new firewall.address object_172_all_iZ\r\nsubnet[172.16.0.0 255.240.0.0]\r\nAdds firewall.address object_10_all_iZ\r\nsubnet[10.0.0.0 255.0.0.0]\r\nAdds firewall.address object_192_all_iZ\r\nsubnet[192.168.0.0 255.255.0.0]\r\nAdds vpn.ssl.web.portal \u003cREDACTED\u003e\r\ntunnel-mode[enable]ip-pools[SSLVPN_TUNNEL_ADDR1_\u003cREDACTED\u003e]split-tunneling-routing-address[10_all_iZ\r\nAdds vpn.ssl.settings:authentication-rule \u003cREDACTED\u003e\r\nusers\u003cREDACTED\u003e]portal[\u003cREDACTED\u003e]\r\nChanged SSL setting\r\nEdits vpn.ssl.settings\r\nstatus[enable-\u003eenable]\r\nAdds firewall.policy \u003cREDACTED\u003e . This rule allows the created user above to access all internal\r\nnetwork subnets over any service or port, without restriction, at any time. All traffic is logged.\r\nname[\u003cREDACTED\u003e]srcintf[ssl.root]dstintf[any]action[accept]srcaddr[SSLVPN_TUNNEL_ADDR1_\u003cREDACTED\u003e]dst\r\nOn day 4, the super-admin account created by the threat actor deletes what they did on the firewall on day 3 but\r\ncreates again a new user and grants it VPN access doing the same operations as in day 3.\r\nOn day 5, the threat actor connected to the victim’s infrastructure via VPN for 2 minutes, no other activity was\r\nfound in that timeframe, and we assumed the TA wanted to test the VPN connection.\r\nOn day 6, the TA deletes all activities done on the FW on day 4.\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 3 of 12\n\nGet InTheCyber’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe source IPs from where the TA logged in are 45.55.158.47,37.19.196.65\r\nPhase 2: A new threat actor?\r\nOur hypothesis is that an initial access broker was involved in this campaign who gained access in \u003cREDACTED\u003e\r\nand sold the access in \u003cREDACTED\u003e (roughly a month later) to another attacker. This stage is related to days 7 and\r\n8 of the attack.\r\nDay 7\r\nInitial access — A valid local account with VPN access\r\nOn day 7, the threat actor started the compromise of the victim’s infrastructure by using the VPN connection from\r\nan account already present on the FW, no signs of brute force were detected. The threat actor kept the VPN\r\nconnection active through all days 7 and 8. The IP from where the TA connected is 154.18.187.108.\r\nDiscovery\r\nThere was no indication of reconnaissance activities conducted by the attackers. It is believed they had access to\r\nboth firewall logs and configurations, allowing them to assess firewall policies and identify key systems to target.\r\nThe threat actor was able to move laterally across most systems in the network due to insufficient network\r\nsegmentation (with all targets being in the same subnet) and weak password policies, which enabled access to\r\nmultiple servers with a single credential set.\r\nThe limited access to logs and the lack of network segmentation contributed to the success of the attack.\r\nLateral Movement via RDP \u0026 Defense Evasion via valid accounts \u0026 Initial access to the cloud \u0026\r\nPersistence\r\nThe threat actor used RDP to connect to the domain controller and other machines in the victim’s network. The\r\naccount used for the connections was Administrator (Domain admin).\r\nThe threat actor connected via RDP to the backup machine (Veeam server) using the Domain admin account and\r\nthe local Administrator account.\r\nTo evade detection, the threat actor used valid local and domain accounts.\r\nThe threat actor then created on the desktop of the backup machine a file called 1.csv. This file contained the\r\npasswords to access several systems which later got compromised. We assume the TA acquired these credentials\r\nby reading files specific to the target browser (Firefox, in this case) which had all those credentials saved.\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 4 of 12\n\nThe threat actor later proceeded to log in on the cloud account \u003cREDACTED\u003e@\u003cREDACTED\u003e (account1, as reference)\r\nfrom 154.18.187.108, using either stolen or guessed credentials and then registered their contact information for\r\nMFA, ensuring persistence. Next, the system required to provide password reset information and the attacker\r\nentered their recovery details, granting even a stronger persistent access.\r\nDay 8\r\nCredential access — OS Credential Dumping by accessing the Ntds.dit file on volume shadow\r\ncopy\r\nOn day 8, the TA connected again via RDP to the Domain Controller and it is able to dump OS credentials by\r\naccessing the Ntds.dit file on volume shadow copy. We assume that the file was exported since it was saved on\r\nc:\\windows\\temp1\\Active Directory\\ntds.dit\r\nDefense Evasion — Disabled the EDR’s anti-ransomware features\r\nLater, the threat actor visited the web management console of the EDR from the backup machine’s browser, where\r\nthey disabled several features. Among these, disabling the anti-ransomware modules had the most significant\r\nimpact, along with altering the email notification settings. The threat actor visited from the web browser all the\r\ntarget systems listed in the 1.csv file created on day 7.\r\nCredential access attempt\r\nNext, the TA saved the SYSTEM registry hive on the Desktop of the Domain Controller which we believe was an\r\nattempt to get credentials via the registry hive dumping. SAM and SECURITY hives were not saved on the\r\nDesktop, and we did not detect any attempts to dump the hives on the machine, therefore we cannot determine if\r\nthis technique succeeded or not.\r\nLateral movement to the cloud \u0026 Privilege Escalation\r\nThe TA compromised another account \u003cREDACTED\u003e@\u003cREDACTED\u003e (responsible for the ADSync service) (account2,\r\nfor reference) because when the TA attempted to log in (again from 154.18.187.108) the password was expired\r\nand Office365 allowed the TA to change it and set the information required for the self-service password reset.\r\nLater, the TA added its own Authenticator to complete the MFA.\r\nTA compromised 30 minutes later one account with Global Admin privileges on Office365\r\n\u003cREDACTED\u003e@\u003cREDACTED\u003e (account3, for reference) via Password Hash Sync. The TA granted access to this\r\naccount access a Veeam Azure App, which allowed the TA to delete the cloud backups.\r\nCredential access — Searching for interesting files in SharePoint\r\nThe threat actor from this compromise was able to access the victims’ enterprise SharePoint and access sensitive\r\nfiles and, especially, Excel files with passwords shared and available to everyone. The threat actor moved to the\r\nTrash and deleted several emails related to new role grants for this account. Next, the TA from the Global Admin\r\naccount on Office365 reset the password of this account and the other two compromised accounts.\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 5 of 12\n\nExecution \u0026 Impact — Encrypted VMDKs and destroyed backups\r\nThe threat actor encrypted the virtual machine files of the victim’s enterprise and deleted all the backups. We\r\ncould not get any logs on the ESXi nodes and on the VSphere node. The backups were stored on several NASs\r\n(virtualized, destroyed by accessing the VMs) and in the cloud (destroyed by using the AzureApp).\r\nBy the analysis of the outbound network traffic, we excluded the threat actor’s exfiltrated data since the amount of\r\ndata in the days of the attack was very small and aligned to the baseline of the previous days before the attack.\r\nInTheCyber did not observe any trace of command and control activity since the threat actor was able to move\r\nlaterally using RDP by having VPN access.\r\nTTP\r\nPress enter or click to view image in full size\r\nIndicators\r\n154.18.187.108\r\n45.55.158.47\r\n37.19.196.65\r\nDetection\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 6 of 12\n\nWe built the following Sigma rules to detect the activities performed on the firewall based on what we observed\r\nduring the Incident Response activity. The sigma rules are available here in the Sigma official repository.\r\ntitle: FortiGate - New Administrator Account Created\r\nid: cd0a4943-0edd-42cf-b50c-06f77a10d4c1\r\nstatus: experimental\r\ndescription: Detects the creation of an administrator account on a Fortinet FortiGate Firewall.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.persistence\r\n - attack.t1136.001\r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Add'\r\n cfgpath: 'system.admin'\r\n condition: selection\r\nfalsepositives:\r\n - An administrator account can be created for legitimate purposes. Investigate the account detail\r\nlevel: medium\r\ntitle: FortiGate - New Local User Created\r\nid: ddbbe845-1d74-43a8-8231-2156d180234d\r\nstatus: experimental\r\ndescription: |\r\n Detects the creation of a new local user on a Fortinet FortiGate Firewall.\r\n The new local user could be used for VPN connections.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.persistence\r\n - attack.t1136.001\r\nlogsource:\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 7 of 12\n\nproduct: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Add'\r\n cfgpath: 'user.local'\r\n condition: selection\r\nfalsepositives:\r\n - A local user can be created for legitimate purposes. Investigate the user details to determine\r\nlevel: medium\r\ntitle: FortiGate - VPN SSL Settings Modified\r\nid: 8b5dacf2-aeb7-459d-b133-678eb696d410\r\nstatus: experimental\r\ndescription: |\r\n Detects the modification of VPN SSL Settings (for example, the modification of authentication rul\r\n This behavior was observed in pair with the addition of a VPN SSL Web Portal.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-setti\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.persistence\r\n - attack.initial-access\r\n - attack.t1133\r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Edit'\r\n cfgpath: 'vpn.ssl.settings'\r\n condition: selection\r\nfalsepositives:\r\n - VPN SSL settings can be changed for legitimate purposes.\r\nlevel: medium\r\ntitle: FortiGate - Firewall Address Object Added\r\nid: 5c8d7b41-3812-432f-a0bb-4cfb7c31827e\r\nstatus: experimental\r\ndescription: Detects the addition of firewall address objects on a Fortinet FortiGate Firewall.\r\nreferences:\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 8 of 12\n\n- https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-add\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.defense-evasion\r\n - attack.t1562\r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Add'\r\n cfgpath: 'firewall.address'\r\n condition: selection\r\nfalsepositives:\r\n - An address could be added or deleted for legitimate purposes.\r\nlevel: medium\r\ntitle: FortiGate - New VPN SSL Web Portal Added\r\nid: 2bfb6216-0c31-4d20-8501-2629b29a3fa2\r\nstatus: experimental\r\ndescription: |\r\n Detects the addition of a VPN SSL Web Portal on a Fortinet FortiGate Firewall.\r\n This behavior was observed in pair with modification of VPN SSL settings.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-p\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.persistence\r\n - attack.initial-access\r\n - attack.t1133\r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Add'\r\n cfgpath: 'vpn.ssl.web.portal'\r\n condition: selection\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 9 of 12\n\nfalsepositives:\r\n - A VPN SSL Web Portal can be added for legitimate purposes.\r\nlevel: medium\r\ntitle: FortiGate - New Firewall Policy Added\r\nid: f24ab7a8-f09a-4319-82c1-915586aa642b\r\nstatus: experimental\r\ndescription: Detects the addition of a new firewall policy on a Fortinet FortiGate Firewall.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-poli\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.defense-evasion\r\n - attack.t1562\r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Add'\r\n cfgpath: 'firewall.policy'\r\n condition: selection\r\nfalsepositives:\r\n - A firewall policy can be added for legitimate purposes.\r\nlevel: medium\r\ntitle: FortiGate - User Group Modified\r\nid: 69ffc84e-8b1a-4024-8351-e018f66b8275\r\nstatus: experimental\r\ndescription: |\r\n Detects the modification of a user group on a Fortinet FortiGate Firewall.\r\n The group could be used to grant VPN access to a network.\r\nreferences:\r\n - https://www.fortiguard.com/psirt/FG-IR-24-535\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group\r\n - https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-lo\r\nauthor: Marco Pedrinazzi @pedrinazziM (InTheCyber)\r\ndate: 2025-11-01\r\ntags:\r\n - attack.persistence\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 10 of 12\n\n- attack.privilege-escalation\r\n \r\nlogsource:\r\n product: fortigate\r\n service: event\r\ndetection:\r\n selection:\r\n action: 'Edit'\r\n cfgpath: 'user.group'\r\n condition: selection\r\nfalsepositives:\r\n - A group can be modified for legitimate purposes.\r\nlevel: medium\r\nIn case you were wondering, these were us during the incident response activity ❤\r\nPress enter or click to view image in full size\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 11 of 12\n\nSource: https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nhttps://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://posts.inthecyber.com/exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041"
	],
	"report_names": [
		"exposed-fortinet-fortigate-firewall-interface-leads-to-lockbit-ransomware-cve-2024-55591-8f4b7a244041"
	],
	"threat_actors": [],
	"ts_created_at": 1777429225,
	"ts_updated_at": 1777450915,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21c3ca3c9daf24e3cc150328b323df0d5c4ba86f.pdf",
		"text": "https://archive.orkl.eu/21c3ca3c9daf24e3cc150328b323df0d5c4ba86f.txt",
		"img": "https://archive.orkl.eu/21c3ca3c9daf24e3cc150328b323df0d5c4ba86f.jpg"
	}
}