FortiGate Devices Used to Break into Networks and Steal Service Account Credentials
Cybersecurity researchers are drawing attention to a new campaign where threat actors are misusing FortiGate Next-Generation Firewall (NGFW) appliances as entry points to breach victims’ networks.
The operation involves exploiting later disclosed security vulnerabilities or weak credentials to extract configuration files containing service account credentials and network topology information, SentinelOne said in a report published today. The security team said the operation targeted areas linked to healthcare, government and managed service providers.
“FortiGate network devices have greater access to the environment they were installed to protect,” said security researchers Alex Delamotte, Stephen Bromfield, Mary Braden Murphy and Amey Patne. “In most settings, this includes service accounts connected to authentication infrastructure, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).”
“This setting can enable an appliance to map roles to specific users by fetching attributes about connections that are analyzed and associated with Directory information, useful in situations where role-based policies are set or to increase the response speed of network security alerts received by the device.”
However, the cybersecurity company noted that such access could be used by attackers who penetrate FortiGate devices with known vulnerabilities (eg, CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858) or are not properly fixed.
In one incident, attackers allegedly breached a FortiGate device in November 2025 to create a new domain administrator account called “support” and use it to set up four security policies that allow the account to traverse all domains without restrictions.
The threat actor then continues to periodically check to ensure that the device is accessible, an action that is accompanied by an initial access broker (IAB) who establishes a location there and then sells it to other criminal actors for revenue. The next phase of the activity was discovered in February 2026 when an attacker apparently extracted a configuration file containing account information for an encrypted LDAP service.
“Evidence shows an attacker authenticated in AD using clear text credentials from the fortidcagent service account, suggesting that the attacker decrypted the configuration file and extracted the service account’s credentials,” SentinelOne said.
The attacker then used the service account to authenticate to the victim’s environment and register the rogue workstations in AD, allowing them deep access. After this step, a network scan was initiated, at which time a breach was found, and further lateral movement was stopped.
In one case investigated in late January 2026, attackers quickly moved from accessing through a firewall to deploying remote access tools such as Pulseway and MeshAgent. In addition, the threat actor downloaded the malware from the cloud storage bucket using PowerShell from the Amazon Web Services (AWS) infrastructure.
A Java malware, launched by sideloading a DLL, was used to extract the contents of the NTDS.dit file and the SYSTEM registry hive on an external server (“172.67.196)[.]232”) over port 443.
“Although the actor may have attempted to bypass passwords on the data, no such use was identified during the period of data harvesting and incident suppression,” SentinelOne added.
“NGFW appliances have become ubiquitous because they provide robust network monitoring capabilities for organizations by integrating firewall security controls with other management features, such as AD,” he added. “However, these devices are indicative of a large number of actors with different motivations and levels, from state-aligned actors engaged in espionage to financially motivated attacks such as ransomware.”
