top of page
Search

FortiGate Edge Devices Targeted in Recent Intrusions

  • 5 days ago
  • 2 min read


Recent research published by SentinelOne highlighted a series of intrusions targeting organizations through compromised FortiOS devices.

Edge infrastructure has become an increasingly attractive target for attackers. Firewalls, VPN gateways, and other perimeter devices often sit directly exposed to the internet while maintaining deep visibility into internal networks.

Compromise of these systems can provide attackers with a strategic foothold that extends far beyond a single endpoint.



The Problem: When Perimeter Devices Become Persistence Points

Unlike traditional endpoints, firewall appliances operate at the control plane of the network.

If attackers gain administrative access to these systems, they may be able to:

  • Modify firewall rules and security policies

  • Create unauthorized administrative accounts

  • Monitor or redirect network traffic

  • Maintain persistence at the network boundary

Because these devices manage traffic flows across the environment, changes at this level can significantly impact both security posture and visibility.



Observed Attacker Activity

In the reported intrusions, attackers focused on manipulating device configurations after gaining access.

This included activities such as:

  • Downloading firewall configuration files

  • Altering security policies

  • Establishing administrative access for persistence

These actions highlight the importance of monitoring not just authentication events, but high-impact configuration changes on perimeter devices.



Detection and Visibility at the Edge

Detecting this type of activity is challenging because it often occurs at the network edge, where traditional endpoint visibility is limited. Monitoring configuration changes, administrative actions, and policy modifications becomes critical in identifying potential compromise.

In our case, this led to the development of a detection rule focused on identifying suspicious patterns associated with FortiGate configuration access and post-exploitation activity.

You can find the detection logic here.



Why This Matters

Compromised edge devices can enable attackers to:

  • Intercept or redirect network traffic

  • Weaken security controls

  • Maintain long-term access to the environment

Because these systems operate at the network boundary, their compromise can affect multiple segments of the infrastructure simultaneously.



Key Takeaway

Endpoints are no longer the only targets. Attackers increasingly focus on network control points — systems that provide visibility, control, and persistence across the entire environment.

By monitoring high-impact configuration events and understanding expected behavior, CyberSift helps organizations detect and respond to edge compromise before attackers can pivot or establish long-term access. -Written by Stanislav Stoychev, Security Analyst, CyberSift

Comments

bottom of page