Barracuda full logo

The SOC case files: RansomHub exploits FortiGate bug in attack blocked by XDR

Argomenti:
20 mar 2025
|
Eric Russo

Barracuda’s Managed XDR team recently contained a determined and complex attack by a ransomware gang. The attackers had been trying to find a way into a manufacturing company’s network since December 2024 and finally succeeded by exploiting an exposed firewall vulnerability.

Incident summary

  • The attackers first attempted to gain access through a brute-force attack in December 2024, but they were detected by Barracuda Managed XDR.
  • The attackers returned in January 2025, looking for areas of weakness through externally facing SMB connections.
  • The attackers finally gained access through a vulnerable FortiGate firewall.
  • This enabled them to bypass authentication, add and delete users from the firewall, and edit VPN settings and API integrations with XDR — before deleting all other users from the firewall and locking the victim out of their network.
  • The attackers tried to deploy the ransomware on servers using remote code execution.
  • The impacted devices were immediately quarantined by Barracuda Managed XDR, and the team alerted the customer.
  • SOC engineers worked with the target on recovery and investigation.

The SOC is part of Barracuda Managed XDR, an extended visibility, detection, and response (XDR) service that provides customers with round-the-clock human and AI-led threat detection, analysis, and mitigation services to protect against complex threats.

How the attack unfolded

Initial access

  • On December 10, 2024, Barracuda Managed XDR detected an adversary trying to brute force a customer’s firewall using the account “admin.” The attack was executed from an IP address registered in China and known to be used for malicious activity. The client was immediately alerted.
  • The attackers returned a month later. On January 3, they started exploring the target’s network leveraging external SMB connections. Server Message Block (SMB) enables file sharing, printer sharing, network browsing, and process-to-process communication over a computer network. Leveraging these connections enables an attacker to look for areas of weakness. After 10 days of this, the attackers appear to have given up on January 13.
  • A day later, on January 14, Fortinet reported that a 2024 critical zero-day vulnerability affecting FortiGate devices was being actively exploited in the wild. This vulnerability, tracked as CVE-2024-55591, allows attackers to bypass authentication to gain full administrative privileges on vulnerable devices. This may allow attackers to change firewall settings, create malicious admin accounts, gain access to internal networks, and more.  
  • The target had a vulnerable FortiGate firewall.
  • After their unsuccessful attempts to brute force the firewall and limited success with reconnaissance efforts, the vulnerable firewall finally offered the attackers a way in.

The main attack

  • Between January 30 and February 13, a user by the name of “Zero” added two new users, “Super Admin” and “Admin” to the target’s FortiGate firewall.
  • On Friday, February 14, Barracuda Managed XDR detected new SSL-VPN logins coming in from both Sweden and Chicago.
  • Not long after this, the attackers started editing the target’s firewall policies, VPN settings, local user profiles, and API integrations with XDR to gain full control of the victim’s environment.
  • On Sunday, February 16, the attackers deleted other user accounts and removed firewall rules designed to block traffic from certain locations. This erased any trace of the attackers’ activity and locked the victim out of their own network.
  • Barracuda Managed XDR also saw that the tool PSExec had been installed on the domain controller and backup servers, probably to enable remote code execution and lateral movement.
  • The attackers then tried to deploy RansomHub ransomware across six servers using multiple executables via remote execution. Barracuda Managed XDR immediately detected this activity, quarantined the servers, and contacted the customer.
  • RansomHub is a relatively new but prolific ransomware-as-a-service (RaaS) platform. By the end of 2024 it had become the leading ransomware group. Its success is due in part to its favourable payment structure, where affiliates get to keep 90% of the ransoms secured. RansomHub is a good example of the evolving ecosystem for ransomware, where sophisticated attack methods, the sharing and reuse of tools and resources, and cybercriminal partnerships combine to make the threat highly adaptive and difficult to combat.
RansomHub attack exploiting Fortigate bug

Restore and recover

  • Once the incident was neutralized, the SOC’s Incident Response engineers worked with the target to investigate the incident and help with recovery.
  • The SOC team undertook a full incident guidance to establish the point of entry and ensuing attack lifecycle.
  • The full investigation took around two weeks, and after it was completed, the SOC team provided an incident report to the target organization so that they could properly address remaining action items and lessons learned.

The main tools and techniques used in the attack

Tools and tactics used in a RansomHub attack

Indicators of Compromise detected in this attack:

The executables used by the attackers were:

  • 3e9a87df1c99c3907f4a00f4d5902380960b78dd
  • c4780dde6daaed7129c077ae3c569659296ca41f
  • e2e35e9fc1a7bcdf21124cbdaaa41572d27ed88a
  • 9664762c8b1f62c355a5a786a1a1616c73aaa764

IP addresses used by the threat actor:

  • 208[.]91[.]112[.]55
  • 80[.]94[.]95[.]248
  • 13[.]37[.]13[.]37

Lessons learned

This incident illustrates how attackers will try different approaches to try to gain access to a target — and an unmitigated high-severity vulnerability leaves an organization extremely exposed.

The best protection against such attacks is comprehensive, layered defenses with integrated and extended visibility. This should be accompanied by a robust focus on cybersecurity basics.  For example:

  • Always install security software updates or implement workarounds for key vulnerabilities — as soon as practically possible.
  • Always enforce MFA, especially on VPN accounts that are accessible externally.

Barracuda Managed XDR features like threat intelligence, Automated Threat Response, and the integration of wider solutions such as XDR Server Security, XDR Network Security, and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.

For further information: Barracuda Managed XDR and SOC.

Stay ahead of attackers with 24/7 managed cybersecurity.
Eric Russo

Eric Russo is Director of SOC Defensive Security at Barracuda.

Post correlati:
Cl0p ransomware: The skeezy invader that bites while you sleep
Cl0p ransomware: The skeezy invader that bites while you sleep
 I file del caso SOC: la gang di ransomware armata di Python riemerge per affrontare un muro di difese XDR
I file del caso SOC: la gang di ransomware armata di Python riemerge per affrontare un muro di difese XDR
 Radar delle minacce SOC — Maggio 2025
Radar delle minacce SOC — Maggio 2025
 Barracuda Celebrates Six Wins in 2025 SC Awards and Global InfoSec Awards
Barracuda Celebrates Six Wins in 2025 SC Awards and Global InfoSec Awards
Search the blog

Subscribe to the Barracuda Blog.

Sign up to receive threat spotlights, industry commentary, and more.

Sign up to receive threat spotlights, industry commentary, and more.

Get all the latest news, research, and analysis delivered right to your inbox.