A server briefly linked to the notorious KeyPlug malware has inadvertently exposed a comprehensive arsenal of exploitation tools specifically designed to target Fortinet firewall and VPN appliances.<\/p>\n
The infrastructure, which security researchers have attributed to the RedGolf threat group (overlapping with APT41), was accessible for less than 24 hours before being secured, providing a rare glimpse into advanced persistent threat operations aimed at critical network infrastructure.<\/p>\n
The exposed server at IP 45.77.34[.]88 revealed multiple exploit scripts targeting vulnerabilities in Fortinet devices, including what appears to be tools leveraging CVE-2024-23108 and CVE-2024-23109.<\/p>\n
These exploits specifically abuse unauthenticated WebSocket endpoints in FortiOS to execute privileged CLI commands, potentially giving attackers complete control over targeted appliances.<\/p>\n
The brief exposure underscores the sophisticated capabilities of the threat actor and their focus on high-value network security devices.<\/p>\n
Hunt.io researchers noted<\/a> that the server shared a WolfSSL-issued TLS certificate with five additional servers, all hosted on Vultr, creating a traceable pattern of infrastructure.<\/p>\n Their AttackCapture Among the most concerning findings were Python-based<\/a> reconnaissance scripts designed to scan for and fingerprint Fortinet devices.<\/p>\n One such script, identified as \u201c1.py,\u201d systematically probes potential targets for Fortinet login portals and extracts version-specific JavaScript hash values that can be used to determine exploit compatibility. The script extracts hashes using the logic:-<\/p>\n A more aggressive exploit tool named \u201cws_test.py\u201d demonstrated functionality for bypassing Fortinet authentication<\/a> by spoofing local traffic. The script uses a hardcoded header to simulate local access:-<\/p>\n This bypass technique, when successful, allows execution of privileged commands such as \u201cshow full-configuration\u201d without any authentication, potentially compromising the entire device.<\/p>\n The leaked infrastructure also contained evidence of targeting focused on a major Japanese company, Shiseido. Reconnaissance output files revealed nearly one hundred domains associated with the company, including login portals, development environments, and identity providers.<\/p>\n This targeting suggests the threat actor may be engaged in corporate espionage or preparing for a significant supply chain compromise.<\/p>\n The analysis revealed a particularly sophisticated PHP-based webshell called \u201cbx.php\u201d that uses encryption to hide command execution.<\/p>\n The webshell reads encrypted payloads directly from HTTP POST bodies, decrypts them in memory, and executes commands dynamically, leaving minimal evidence on disk or in logs.<\/p>\n Security experts recommend immediate patching of all Fortinet devices, monitoring<\/a> for WebSocket handshake requests to suspicious endpoints, and reviewing historical logs for signs of exploitation attempts using these now-exposed techniques.<\/p>\n The post Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\u2122\"](\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/15.1.0\/72x72\/2122.png?ssl=1\")
system indexed the server during its brief exposure, preserving critical evidence that might otherwise have been lost when the misconfiguration was corrected.<\/p>\nscript_tag = soup.select_one(\"script[src^='\/sslvpn\/js\/login.js']\")\nHash = script_tag['src'].split('=')[1]<\/code><\/pre>\nheaders = {'Forwarded': 'for=127.0.0.1; by=127.0.0.1;', 'User-Agent': 'Node.js'}<\/code><\/pre>\nMalware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->\u00a0Get Your Free Copy<\/a><\/code><\/strong><\/p>\n<\/p>\n