RansomHub exploits FortiGate bug in attack blocked by XDR
Aura’s Managed XDR security partner, Barracuda, has recently contained a determined and complex attack by a ransomware gang. The attackers had been trying to find a way into a manufacturing company’s network since December 2024 and finally succeeded by exploiting an exposed firewall vulnerability.
Incident summary
The attackers first attempted to gain access through a brute-force attack in December 2024, but Barracuda Managed XDR detected them.
The attackers returned in January 2025, looking for areas of weakness through externally facing SMB connections.
The attackers finally gained access through a vulnerable FortiGate firewall.
This enabled them to bypass authentication, add and delete users from the firewall, and edit VPN settings and API integrations with XDR — before deleting all other users from the firewall and locking the victim out of their network.
The attackers tried to deploy the ransomware on servers using remote code execution.
The impacted devices were immediately quarantined by Barracuda Managed XDR, and the team alerted the customer.
SOC engineers worked with the target on recovery and investigation.
How the attack unfolded
Initial access
On December 10, 2024, Barracuda Managed XDR detected an adversary trying to brute force a customer’s firewall using the account “admin.” The attack was executed from an IP address registered in China and known to be used for malicious activity. The client was immediately alerted.
The attackers returned a month later. On January 3, they started exploring the target’s network leveraging external SMB connections. Server Message Block (SMB) enables file sharing, printer sharing, network browsing, and process-to-process communication over a computer network. Leveraging these connections enables an attacker to look for areas of weakness. After 10 days of this, the attackers appear to have given up on January 13.
A day later, on January 14, Fortinet reported that a 2024 critical zero-day vulnerability affecting FortiGate devices was being actively exploited in the wild. This vulnerability, tracked as CVE-2024-55591, allows attackers to bypass authentication to gain full administrative privileges on vulnerable devices. This may allow attackers to change firewall settings, create malicious admin accounts, gain access to internal networks, and more.
The target had a vulnerable FortiGate firewall.
After their unsuccessful attempts to brute force the firewall and limited success with reconnaissance efforts, the vulnerable firewall finally offered the attackers a way in.
The main attack
RansomHub is a relatively new but prolific ransomware-as-a-service (RaaS) platform. By the end of 2024 it had become the leading ransomware group. Its success is due in part to its favourable payment structure, where affiliates get to keep 90% of the ransoms secured. RansomHub is a good example of the evolving ecosystem for ransomware, where sophisticated attack methods, the sharing and reusing tools and resources, and cybercriminal partnerships combine to make the threat highly adaptive and difficult to combat.
Between January 30 and February 13, a user by the name of “Zero” added two new users, “Super Admin” and “Admin” to the target’s FortiGate firewall.
On Friday, February 14, Barracuda Managed XDR detected new SSL-VPN logins coming in from both Sweden and Chicago.
Not long after this, the attackers started editing the target’s firewall policies, VPN settings, local user profiles, and API integrations with XDR to gain full control of the victim’s environment.
On Sunday, February 16, the attackers deleted other user accounts and removed firewall rules designed to block traffic from certain locations. This erased any trace of the attackers’ activity and locked the victim out of their own network.
Barracuda Managed XDR also saw that the tool PSExec had been installed on the domain controller and backup servers, probably to enable remote code execution and lateral movement.
The attackers then tried to deploy RansomHub ransomware across six servers using multiple executables via remote execution. Barracuda Managed XDR immediately detected this activity, quarantined the servers, and contacted the customer.
Restore and recover
Once the incident was neutralised, the SOC’s Incident Response engineers worked with the target to investigate the incident and help recover.
The SOC team undertook a full incident investigation to establish the point of entry and the ensuing attack lifecycle.
The full investigation took around two weeks, and after it was completed, the SOC team provided an incident report to the target organisation so that they could properly address remaining action items and lessons learned.
The main tools and techniques used in the attack
Indicators of Compromise detected in this attack:
The executables used by the attackers were:
3e9a87df1c99c3907f4a00f4d5902380960b78dd
c4780dde6daaed7129c077ae3c569659296ca41f
e2e35e9fc1a7bcdf21124cbdaaa41572d27ed88a
9664762c8b1f62c355a5a786a1a1616c73aaa764
IP addresses used by the threat actor:
208[.]91[.]112[.]55
80[.]94[.]95[.]248
13[.]37[.]13[.]37
Key learnings
This incident illustrates how attackers will take different approaches to gaining access to a target, and an unmitigated high-severity vulnerability leaves an organisation extremely exposed.
The best protection against such attacks is comprehensive, layered defences with integrated and extended visibility. A robust focus should accompany this on cybersecurity basics. For example:
Always install security software updates or implement workarounds for key vulnerabilities, as soon as practically possible.
Always enforce MFA, especially on VPN accounts that are accessible externally.
Barracuda Managed XDR features like threat intelligence, Automated Threat Response, and the integration of wider solutions such as XDR Server Security, XDR Network Security and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.
How Aura can help
By partnering with Barracuda, Aura Technology offers a Managed IT service that includes Extended Detection and Response (XDR) as standard protection against breaches. If your organisation lacks XDR protection, please reach out to us. We can evaluate your risk and assist you in strengthening your defences throughout your business.
