Cybersecurity researchers warn of a campaign exploiting FortiGate firewalls to steal service account credentials and breach networks across healthcare, government, and MSP sectors.
Cybersecurity researchers are warning about a new campaign where threat actors are exploiting FortiGate Next-Generation Firewall (NGFW) appliances to breach victim networks and steal service account credentials. The activity involves exploiting recently disclosed security vulnerabilities or weak credentials to extract configuration files containing sensitive authentication information and network topology data.
Campaign Targets High-Value Sectors
The campaign has specifically targeted environments tied to healthcare, government, and managed service providers, according to SentinelOne's report. FortiGate network appliances have considerable access to the environments they're installed to protect, often including service accounts connected to authentication infrastructure like Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).
"This setup can enable the appliance to map roles to specific users by fetching attributes about the connection that's being analyzed and correlating with the Directory information," the researchers explained. "This is useful in cases where role-based policies are set or for increasing response speed for network security alerts detected by the device."
However, this same access becomes a liability when attackers breach FortiGate devices through known vulnerabilities such as CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858, or through misconfigurations.
Initial Access and Foothold Establishment
In one incident from November 2025, attackers breached a FortiGate appliance to create a new local administrator account named "support." They then established four new firewall policies that allowed unrestricted traversal across all zones. The threat actor periodically checked to ensure the device remained accessible—behavior consistent with an initial access broker establishing a foothold for resale to other criminal actors.
Service Account Credential Extraction
The next phase occurred in February 2026 when attackers extracted the configuration file containing encrypted service account LDAP credentials. "Evidence demonstrates the attacker authenticated to the AD using clear text credentials from the fortidcagent service account," SentinelOne reported. "This suggests the attacker decrypted the configuration file and extracted the service account credentials."
With these credentials, the attacker authenticated to the victim's environment and enrolled rogue workstations in Active Directory, gaining deeper access. Network scanning followed, but the breach was detected before further lateral movement could occur.
Malware Deployment and Data Exfiltration
In another case investigated in late January 2026, attackers moved quickly from firewall access to deploying remote access tools like Pulseway and MeshAgent. The threat actor also downloaded malware from an Amazon Web Services cloud storage bucket via PowerShell.
The Java malware, launched through DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an external server at 172.67.196[.]232 over port 443. "While the actor may have attempted to crack passwords from the data, no such credential usage was identified between the time of credential harvesting and incident containment," the researchers noted.
Why FortiGate Devices Are High-Value Targets
NGFW appliances have become ubiquitous because they provide strong network monitoring capabilities by integrating security controls of a firewall with other management features, including Active Directory integration. However, these devices have become high-value targets for actors with various motivations and skill levels.
"From state-aligned actors conducting espionage to financially motivated attacks such as ransomware, these devices represent attractive targets," the report emphasized. The combination of privileged access, service account credentials, and network visibility makes compromised FortiGate appliances particularly dangerous.
Protection Recommendations
Organizations using FortiGate devices should immediately apply security patches for the identified vulnerabilities and review their firewall configurations. Regular monitoring of administrative account creation and firewall policy changes can help detect unauthorized access attempts. Additionally, implementing network segmentation and monitoring for unusual service account activity can limit the impact of potential breaches.
The campaign underscores the importance of securing network infrastructure devices, which often have privileged access to critical systems and credentials. As attackers increasingly target these devices as entry points, organizations must treat them with the same security rigor as their endpoints and servers.
Comments
Please log in or register to join the discussion