Analysis Summary

On August 3rd, security telemetry from Researcher recorded an unprecedented spike in brute-force attacks against Fortinet SSL VPN infrastructure, with over 780 unique IP addresses participating in a coordinated campaign, the largest single-day activity on their Fortinet SSL VPN Bruteforcer tag in recent months. The event raised concerns of possible zero-day vulnerabilities and advanced threat actor operations, particularly given that 80% of similar historical spikes have preceded CVE disclosures within six weeks. Notably, attackers displayed operational agility by shifting targets from FortiOS to FortiManager systems within just days, reflecting a well-organized and evolving campaign strategy.

The researcher identified two distinct attack waves with different technical signatures. The first wave (August 3rd) featured sustained brute-force attempts with a consistent TCP signature targeting FortiOS SSL VPN implementations, indicating deliberate reconnaissance and precision targeting. The second wave (starting August 5th) revealed a markedly different TCP signature, short-burst activity, and a pivot toward FortiManager – FGFM profiles. This shift may suggest either re-tasking of the same infrastructure toward new attack vectors or the deployment of upgraded toolsets capable of targeting multiple Fortinet services.

Malicious IP addresses linked to the campaign include 31.206.51.194, 23.120.100.230, 96.67.212.83, 104.129.137.162, and 118.97.151.34, with most activity in the last 90 days focused on Hong Kong and Brazil. Historical analysis found ties between post-August 5th TCP fingerprints and a June spike from IP 104.129.137.162, a FortiGate device operating on a residential ISP (Pilot Fiber Inc.). This finding suggests possible early-stage testing from home networks or the use of residential proxy services to evade detection. Despite recent AbuseDB flags, the device was not flagged by residential proxy detection tools, indicating advanced evasion capabilities.

Researcher’s JA4+ signature clustering linked these recent waves to older campaigns, potentially offering attribution clues. Given the historical trend of such spikes preceding vulnerability disclosures, organizations relying on Fortinet SSL VPNs should act immediately—implementing dynamic IP blocklists, closely monitoring for traffic matching identified TCP and client signatures, and preparing for emergency security patches in anticipation of potential zero-day announcements.

Impact

• Gain Access

Indicators of Compromise

Remediation

• Implement dynamic IP blocklists to immediately block the identified malicious IPs and any related suspicious sources.
• Monitor for traffic matching GreyNoise’s identified TCP and client signatures to detect ongoing brute-force attempts.
• Apply geofencing rules to restrict access from high-risk regions such as Hong Kong and Brazil if not operationally required.
• Enable account lockout policies and rate-limiting for Fortinet SSL VPN authentication attempts.
• Review and rotate all VPN user credentials, prioritizing privileged accounts.
• Harden FortiManager and FortiOS configurations, disabling unused services and enforcing strong authentication (e.g., MFA).
• Inspect historical VPN logs for signs of brute-force activity or anomalous login patterns from the listed IPs.
• Deploy intrusion prevention system (IPS) rules specific to Fortinet SSL VPN brute-force detection signatures.
• Segment management interfaces (FortiManager, FortiOS admin) to isolated networks inaccessible from the internet.
• Prepare for emergency patching in anticipation of possible zero-day disclosures, ensuring test and deployment workflows are ready.