Hackers Exploit FortiGate Firewalls in Widespread Attacks to Steal Network Credentials

    Wednesday, March 18, 2026 In: Threat Research Print

    Date: 03/18/2026

    Severity: High

    Summary

    Threat actors are exploiting multiple FortiGate vulnerabilities including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858. to bypass authentication and gain administrative access to firewall devices. After access, they download configuration files containing sensitive data, including service account credentials that can be easily decrypted. Attackers also combine vulnerability exploitation with scanning and brute-force attempts using weak or default credentials. In one campaign, they created malicious accounts, joined rogue machines to the domain, and performed reconnaissance and password attacks. In another, they escalated privileges, deployed Remote Monitoring and Management (RMM) tools disguised as updates, and exfiltrated Active Directory data while evading detection.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    ndibstersoft.com

    neremedysoft.com

    fastdlvrss.s3.us-east-1.amazonaws.com

    https://fastdlvrss.s3.us-east-1.amazonaws.com/paswr.zip

    https://storage.googleapis.com/apply-main/windows_agent_x64.msi

    IP Address : 

    185.156.73.62

    185.242.246.127

    193.24.211.61

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "fastdlvrss.s3.us-east-1.amazonaws.com" or url like "fastdlvrss.s3.us-east-1.amazonaws.com" or siteurl like "fastdlvrss.s3.us-east-1.amazonaws.com" or domainname like "https://storage.googleapis.com/apply-main/windows_agent_x64.msi" or url like "https://storage.googleapis.com/apply-main/windows_agent_x64.msi" or siteurl like "https://storage.googleapis.com/apply-main/windows_agent_x64.msi" or domainname like "https://fastdlvrss.s3.us-east-1.amazonaws.com/paswr.zip" or url like "https://fastdlvrss.s3.us-east-1.amazonaws.com/paswr.zip" or siteurl like "https://fastdlvrss.s3.us-east-1.amazonaws.com/paswr.zip" or domainname like "neremedysoft.com" or url like "neremedysoft.com" or siteurl like "neremedysoft.com" or domainname like "ndibstersoft.com" or url like "ndibstersoft.com" or siteurl like "ndibstersoft.com"

    Detection Query 2 :

    dstipaddress IN ("185.242.246.127","185.156.73.62","193.24.211.61") or srcipaddress IN ("185.242.246.127","185.156.73.62","193.24.211.61")

    Reference:

    https://cyberpress.org/fortigate-firewalls-exploited/


    Tags

    VulnerabilityCVE-2025CVE-2026Exploitationcredential stealersExfiltrationRemote monitoring and management (RMM)

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.