Cybersecurity researchers are calling consideration to a brand new marketing campaign the place menace actors are abusing FortiGate Subsequent-Era Firewall (NGFW) home equipment as entry factors to breach sufferer networks.
The exercise includes the exploitation of lately disclosed security vulnerabilities or weak credentials to extract configuration information containing service account credentials and community topology info, SentinelOne stated in a report printed at the moment. The security outfit stated the marketing campaign has singled out environments tied to healthcare, authorities, and managed service suppliers.
“FortiGate community home equipment have appreciable entry to the environments they had been put in to guard,” security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy, and Amey Patne stated. “In lots of configurations, this consists of service accounts that are related to the authentication infrastructure, reminiscent of Lively Listing (AD) and Light-weight Listing Entry Protocol (LDAP).”
“This setup can allow the equipment to map roles to particular customers by fetching attributes concerning the connection that’s being analyzed and correlating with the Listing info, which is beneficial in circumstances the place role-based insurance policies are set or for rising response pace for community security alerts detected by the machine.”
Nonetheless, the cybersecurity firm famous that such entry might be exploited by attackers who break into FortiGate units by way of identified vulnerabilities (e.g., CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or misconfigurations.
In a single incident, the attackers are stated to have breached a FortiGate equipment in November 2025 to create a brand new native administrator account named “assist” and used it to arrange 4 new firewall insurance policies that allowed the account to traverse all zones with none restrictions.
The menace actor then stored periodically checking to make sure the machine was accessible, an motion in step with an preliminary entry dealer (IAB) establishing a foothold and promoting it to different legal actors for financial acquire. The subsequent section of the exercise was detected in February 2026 when an attacker doubtless extracted the configuration file containing encrypted service account LDAP credentials.
“Proof demonstrates the attacker authenticated to the AD utilizing clear textual content credentials from the fortidcagent service account, suggesting the attacker decrypted the configuration file and extracted the service account credentials,” SentinelOne stated.
The attacker then leveraged the service account to authenticate to the sufferer’s surroundings and enroll rogue workstations within the AD, permitting them deeper entry. Following this step, community scanning was initiated, at which level the breach was detected, and additional lateral motion was halted.
In one other case investigated in late January 2026, attackers swiftly moved from firewall entry to deploying distant entry instruments like Pulseway and MeshAgent. As well as, the menace actor downloaded malware from a cloud storage bucket by way of PowerShell from Amazon Net Providers (AWS) infrastructure.
The Java malware, launched by way of DLL side-loading, was used to exfiltrate the contents of the NTDS.dit file and SYSTEM registry hive to an exterior server (“172.67.196[.]232”) over port 443.
“Whereas the actor could have tried to crack passwords from the information, no such credential utilization was recognized between the time of credential harvesting and incident containment,” SentinelOne added.
“NGFW home equipment have change into ubiquitous as a result of they supply sturdy community monitoring capabilities for organizations by integrating security controls of a firewall with different administration options, reminiscent of AD,” it added. “Nonetheless, these units are high-value targets for actors with quite a lot of motivations and ability ranges, from state-aligned actors conducting espionage to financially motivated assaults reminiscent of ransomware.”
