Analysis Summary

A server briefly exposed by the Researcher, linked to APT41, provided a rare insight into an advanced toolset aimed at exploiting Fortinet firewall and VPN devices. Though the server at IP 45.77.34[.]88 was only accessible for under 24 hours, security researchers were able to analyze its contents, which included exploit tools for Fortinet vulnerabilities CVE-2024-23108 and CVE-2024-23109. These vulnerabilities target unauthenticated WebSocket endpoints in FortiOS, enabling attackers to execute privileged CLI commands remotely and gain complete control over Fortinet appliances without authentication.

The infrastructure exposure revealed a sophisticated set of tools and scripts. A Python-based reconnaissance script, “1.py,” was used to scan for Fortinet devices by identifying login portals and extracting JavaScript hash values specific to device versions—used to determine exploit compatibility. Another script, “ws_test.py,” was more aggressive, employing a hardcoded header ('Forwarded': 'for=127.0.0.1; by=127.0.0.1;') to spoof local access and bypass authentication, allowing commands such as “show full-configuration” to be executed with elevated privileges.

Additionally, the server’s TLS certificate, issued by WolfSSL, was shared across five other Vultr-hosted servers, allowing Researcher to identify a pattern in infrastructure. AttackCapture™ system managed to index the server during its brief window of exposure, preserving evidence before the misconfiguration was corrected. Among the most alarming discoveries was a focus on targeting Shiseido, a major Japanese company, with recon output files listing nearly 100 domains tied to the organization, hinting at either a corporate espionage campaign or groundwork for a broader supply chain attack.

The threat actor's capabilities were further illustrated by the discovery of a stealthy PHP-based webshell, “bx.php,” designed to read encrypted payloads from HTTP POST bodies, decrypt them in memory, and execute system commands dynamically. This minimizes traces left behind on disk or logs, enhancing operational security. Security experts advise immediate patching of all Fortinet devices, monitoring for unusual WebSocket activity, and performing historical log analysis to detect any signs of past exploitation using these methods.

Impact

• Security Bypass
• Unauthorized Access
• Privilege Access

Indicators of Compromise

CVE

• CVE-2024-23108

• CVE-2024-23109

IP

• 154.31.217.200
• 185.82.219.201
• 45.77.34.88

MD5

• 90a7fa13f9fad5626d166ef3c0e14c0d
• 8cd2fc6625c3788e0dabc03d2eaee7eb
• b8053bcd04ce9d7d19c7f36830a9f26b

SHA-256

• 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
• 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50
• e82ecbe3823046a27d8c39cc0a4acb498f415549946c9ff0e241838b34ed5a21

SHA1

• 6b325f1cd5626d15c10b45793ffe88edf4ca07a9
• 7e9e6e96c4e01f914976878d6a6f7e723b7d1dca
• 3ba9a74f8faeff3de03e4c834f266582e2eb46a8

Affected Vendors

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Immediately patch all Fortinet devices to address CVE-2024-23108 and CVE-2024-23109 vulnerabilities.
• Monitor network traffic for suspicious or unauthorized WebSocket handshake requests, especially targeting FortiOS endpoints.
• Inspect historical logs for unusual activities, including attempts to access Fortinet CLI without proper authentication.
• Search for usage of spoofed headers like Forwarded: for=127.0.0.1; by=127.0.0.1; which may indicate bypass attempts.
• Conduct internal scans to detect the presence of exposed reconnaissance and exploit scripts (e.g., 1.py, ws_test.py).
• Hunt for signs of encrypted webshells such as bx.php that read and decrypt commands from POST requests.
• Isolate and investigate any Fortinet devices communicating with known RedGolf infrastructure (e.g., IP 45.77.34[.]88 or related Vultr servers).
• Implement strict network segmentation to limit access to critical security devices like firewalls and VPNs.
• Review asset inventories and access logs of high-value targets (e.g., login portals, development environments) for anomalies.
• Consider deploying Web Application Firewalls (WAFs) or behavior-based detection tools to catch abuse of legitimate endpoints.