Fortigate case studies
The Sophos MDR team escalated the following case in which Fortigate detected an exploit:
The case
On January 16, 2024, the MDR team was alerted to an XDR-fortinet-fortigate-Exploitation-for-Credential-Access
detection. The alert type was mapped under the MITRE ATTACK Technique as Exploitation-for-Credential-Access
. We observed that the action category was unactioned
by the alerting security control. During our investigation, we observed a connection attempt from IP 85[.]209[.]11[.]108
to internal IP 25[.]523[.]15[.]215
with a request /webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y
. According to OSINT, the external IP address is malicious in nature. Internal IP is not a managed host in your estate which limits our visibility into the events. Based on these findings, please see our recommendations below.
Recommendations
- Protect the device IP
25[.]523[.]15[.]215
with MDR, if possible. - Block the IP
85[.]209[.]11[.]108
on your network perimeter firewall.
The customer confirmed that they blocked the IP address to prevent further intrusion.