FortiGate firewalls hit by silent SSO intrusions and config theft

FortiGate firewalls are getting quietly reconfigured and stripped down by miscreants who've figured out how to sidestep SSO protections and grab sensitive settings right out of the box.

That's according to a warning from security shop Arctic Wolf, which says it has spotted a wave of automated malicious activity starting January 15 that's targeting Fortinet's FortiGate appliances via compromised SSO accounts, flipping firewall settings, creating backdoor admin users, and exfiltrating configuration files.

Arctic Wolf says that the attackers aren't just poking around: intruders create new admin accounts, adjust VPN and firewall rules, and export the full configuration. Those configs often include sensitive credentials and internal network details, effectively handing attackers a map of what to hit next.

"All of the above events took place within seconds of each other, indicating the possibility of automated activity," Arctic Wolf said.

What Arctic Wolf hasn't confirmed is ...