Alerts

Automated Attacks Hijacking FortiGate Firewalls via SSO Exploitation

Zero Day Wire

1 min read
Automated Attacks Hijacking FortiGate Firewalls via SSO Exploitation

A wave of automated attacks is actively compromising FortiGate firewalls through malicious SSO logins, with threat actors creating persistence accounts and exfiltrating device configurations within seconds of initial access. Arctic Wolf began tracking the campaign on January 15, 2026, and warns the situation remains developing.

Attack Chain

The intrusions follow a consistent, rapid pattern suggesting automation. Attackers authenticate via SSO using accounts like cloud-init@mail.io and cloud-noc@mail.io, then immediately export the firewall configuration to attacker-controlled infrastructure. Within seconds, they create secondary admin accounts—using generic names like secadmin, itadmin, support, backup, remoteadmin, or audit—to maintain persistence even if the initial access vector is closed.

Configuration changes also grant VPN access to these rogue accounts, providing attackers with a reliable path back into victim networks.

The campaign bears similarities to activity Arctic Wolf documented in December 2025 following Fortinet's disclosure of two critical authentication bypass flaws: CVE-2025-59718 and CVE-2025-59719. Both vulnerabilities allow unauthenticated bypass of SSO login via crafted SAML messages when FortiCloud SSO is enabled.

Affected product lines include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

However, Arctic Wolf notes it remains unclear whether current activity is fully addressed by existing patches for those CVEs.

Indicators of Compromise

Malicious Accounts:

  • cloud-init@mail.io
  • cloud-noc@mail.io

Persistence Accounts Created:

  • secadmin, itadmin, support, backup, remoteadmin, audit

Source IPs:

  • 104.28.244[.]115
  • 104.28.212[.]114
  • 217.119.139[.]50
  • 37.1.209[.]19

Recommendations

Disable FortiCloud SSO (Workaround): Until Fortinet provides updated guidance, consider disabling FortiCloud SSO login:

config system global
set admin-forticloud-sso-login disable
end

Reset Credentials: If you observe similar malicious activity, assume hashed credentials in exfiltrated configs are compromised. Reset all firewall credentials immediately.

Restrict Management Access: Limit firewall management interfaces to trusted internal networks only.

Source: Arctic Wolf

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire