Attackers Leverage LLMs in FortiGate Exploits

- The primary vulnerability in recent attacks is CVE-2024-21762, a critical out-of-bounds write vulnerability in FortiOS's SSL VPN with a CVSS score of 9.8 out of 10. This allows an unauthenticated, remote attacker to execute arbitrary code via specially crafted HTTP requests. - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to its Known Exploited Vulnerabilities (KEV) catalog on February 9, 2024, confirming it was being actively exploited in the wild. - Threat actors leverage LLMs to significantly accelerate the attack lifecycle by automating reconnaissance to profile targets, generating highly convincing and tailored phishing messages, and creating or modifying malware to evade detection. - In a related campaign, even after patches for initial vulnerabilities were applied, attackers maintained persistence on compromised FortiGate devices by creating a malicious symbolic link in the user file system that pointed to the root file system. - This style of attack on network infrastructure is part of a larger trend; for example, the "Rapid Reset" attack (CVE-2023-44487) exploited a flaw in the HTTP/2 protocol and resulted in DDoS attacks of unprecedented scale, with Google mitigating attacks of 398 million requests per second. - The FortiOS versions affected by CVE-2024-21762 were extensive, spanning versions 6.0 through 7.4, requiring immediate patching or disabling of the SSL VPN functionality as a workaround. - Investigations into similar widespread exploitation of Fortinet devices have uncovered malicious activity dating back to at least early 2023, indicating long-term campaigns by threat actors. - The use of LLMs lowers the barrier to entry for less-skilled threat actors, allowing them to perform more sophisticated attacks, while enabling experienced attackers to increase the scale and speed of their operations.