Fortinet Flaws Exploited in Active Qilin Ransomware Attacks
▼ Summary
– Qilin ransomware is exploiting Fortinet vulnerabilities (CVE-2024-21762 and CVE-2024-55591) to bypass authentication and execute remote code.
– Qilin, active since August 2022, has targeted over 310 victims, including high-profile organizations like Yangfeng and Synnovis, disrupting NHS services.
– Threat actors are currently focusing on Spanish-speaking countries but are expected to expand their campaign globally.
– CVE-2024-55591 was previously exploited as a zero-day, while CVE-2024-21762 was patched in February but remains unsecured on many devices.
– Fortinet vulnerabilities are frequently exploited in cyber espionage and ransomware attacks, as seen with Chinese group Volt Typhoon using them to deploy malware.
A surge in Qilin ransomware attacks is exploiting critical Fortinet vulnerabilities, putting thousands of organizations at risk of data breaches and system compromises. Security researchers have observed the malicious campaign actively targeting unpatched devices, with threat actors leveraging authentication bypass flaws to infiltrate networks.
The Qilin ransomware group, also known as Phantom Mantis, has rapidly expanded its operations since emerging in 2022. Operating as a Ransomware-as-a-Service (RaaS) platform, the group has already claimed responsibility for attacks on over 310 victims, including high-profile targets like automotive supplier Yangfeng, media conglomerate Lee Enterprises, and Australia’s Court Services Victoria. One of its most disruptive incidents involved UK healthcare provider Synnovis, leading to widespread appointment cancellations across multiple NHS hospitals in London.
Recent intelligence from PRODAFT reveals that the attackers are exploiting multiple FortiGate vulnerabilities, including CVE-2024-21762 and CVE-2024-55591, to gain initial access. While the campaign currently shows a preference for Spanish-speaking regions, experts warn that the threat is likely to escalate globally. The attackers employ opportunistic targeting rather than focusing on specific industries, making organizations of all sectors potential victims.
One of the exploited flaws, CVE-2024-55591, was previously used as a zero-day by other cybercriminal groups, including the Mora_001 ransomware operators linked to the notorious LockBit gang. Meanwhile, CVE-2024-21762, patched by Fortinet in February, remains a significant risk—despite warnings from CISA, thousands of devices remain exposed. The Shadowserver Foundation recently identified nearly 150,000 vulnerable systems still susceptible to attacks.
Fortinet’s security flaws have long been a prime target for cybercriminals and state-sponsored hackers alike. Earlier this year, the Chinese-linked Volt Typhoon group weaponized FortiOS SSL VPN vulnerabilities to deploy the Coathanger RAT, previously used in attacks against Dutch defense networks. These incidents highlight the urgent need for organizations to apply security patches promptly and monitor for suspicious activity.
With Qilin ransomware operators refining their tactics, businesses must prioritize vulnerability management and threat detection to mitigate the growing risk of large-scale cyberattacks. Failure to act could result in devastating financial and operational consequences.
(Source: BLEEPING COMPUTER)
