In March 2025, GoSecure Threat Hunters investigated a growing threat targeting external remote services—such as VPN access points, Remote Desktop Protocol (RDP), and firewall management interfaces—frequently exposed to the public internet. Recent activity has revealed threat actors exploiting Fortinet vulnerabilities (CVE-2024-55591 and CVE-2025-24472) to gain unauthorized access and create persistent admin accounts through automation scripts. These tactics mirror methods used by ransomware groups like Play and LAPSUS$, who rely on stolen credentials and unprotected remote services to infiltrate corporate networks.
Why This Matters
External remote services are often necessary for enterprise operations, but if improperly secured, they become high-value targets for threat actors. Once inside the network, attackers can establish persistence, move laterally, and expand their foothold, often undetected. The exploitation of Fortinet devices demonstrates a dangerous trend: threat actors leveraging known vulnerabilities in widely used infrastructure to bypass perimeter defenses and maintain long-term access.
Detection and Monitoring
GoSecure hypothesized that adversaries were exploiting exposed remote services for initial access. A high-severity detection rule was developed to detect unauthorized admin accounts created via automation on Fortinet devices:
Detection Rule: Persistent System Account Registered via Automation Script
Description: Detects when a system admin account is added or modified by an automation script in FortiGate firewalls, tied to activity observed from the Morae_001 threat group.
Recommendations
To reduce exposure and mitigate the threat of unauthorized access via external remote services, GoSecure recommends the following actions:
- Limit Remote Access: Use firewalls, VPN concentrators, and RDP gateways to restrict unnecessary external access.
- Replace Exposed RDP: Transition away from native RDP or RDP gateways in favor of secured VPNs or Remote Access solutions with advanced controls like MFA and conditional access.
- Network Segmentation: Use DMZs, VPCs, and internal segmentation to isolate critical resources and limit lateral movement.
- Remove Unnecessary Services: Disable or uninstall remote services that are no longer in use.
- Enable MFA: Enforce multi-factor authentication on all externally facing services, including firewalls and VPNs.
- User Awareness: Train staff not to store work credentials in personal vaults or unsecured browsers.
Conclusion
This month’s Threat Hunt underscores the risks posed by exposed remote access points and the importance of proactive detection and response. GoSecure Titan® MXDR continuously monitors for signs of unauthorized access and persistent threats, enabling swift response and enhanced resilience against ransomware operations and advanced adversaries. Our Dark Web Monitoring helps identify compromised credentials before they can be exploited, while GoSecure Titan® Managed Perimeter Defense (MPD) ensures your externally facing assets are continuously protected and hardened against attack.
For additional details or to speak with a GoSecure security expert, contact us at (888)-287-5858 or info@gosecure.ai.
Stay secure!
Your GoSecure Threat Hunting Team
