NCSC warns organisations after global campaign against Fortinet firewalls and VPN gateways
The UK’s National Cyber Security Centre (NCSC) has issued new advice after Fortinet firewall and VPN products were caught up in a worldwide targeting campaign that may also have affected some organisa...
The UK’s National Cyber Security Centre (NCSC) has issued new advice after Fortinet firewall and VPN products were caught up in a worldwide targeting campaign that may also have affected some organisations in the UK.
According to the agency, attackers appear to have used brute-force attempts, dictionary attacks and credential stuffing against internet-facing FortiGate and VPN portals. In some cases, a database of credentials was reportedly leaked by a threat actor after those attempts. Credential stuffing involves trying username and password combinations stolen from other services, on the chance that people have reused the same login details elsewhere.
Who may be affected
The warning applies to organisations using Fortinet edge devices, especially those with SSL VPN enabled and exposed to the internet. The NCSC says these organisations should check whether they were exposed and look for signs that their devices were compromised.
- Use a FortiBleed asset checker, such as the tools provided by SOCRadar or Hudson Rock, to see whether any of your domains appear in early warning lists.
- Confirm the device exists, is under your control, and is reachable from the internet.
- Review logs and look for indicators of compromise, including unauthorised account creation or other unusual activity.
- If compromise is suspected, remove the device from both the internet and the internal network.
Recommended response
The NCSC says affected organisations should consider a full factory reset of the device rather than relying only on password changes, since attackers may have established persistence. Before resetting, teams should preserve logs, configurations and any other artefacts that could help with investigation.
Organisations are also being told to examine other edge devices that may share credentials, and to check systems that could have been reached from the affected device. Monitoring firewall logs for signs of lateral movement is advised to help confirm that the incident did not spread further.
After re-commissioning, the NCSC recommends hardening the environment by removing internet exposure from management interfaces, applying the latest updates, decommissioning unsupported systems, changing default or reused administrator passwords, and enforcing multi-factor authentication for VPN and management access. It also advises enabling PBKDF2 for administrator accounts and requiring all admins to sign in again.
The agency also reminded UK organisations that its Early Warning service can provide alerts about malicious activity affecting their networks.
