Skip to content
Find out how we support MDR.

Fortigate case studies

The Sophos MDR team escalated the following case in which Fortigate detected an exploit:

The case

On January 16, 2024, the MDR team was alerted to an XDR-fortinet-fortigate-Exploitation-for-Credential-Access detection. The alert type was mapped under the MITRE ATTACK Technique as Exploitation-for-Credential-Access. We observed that the action category was unactioned by the alerting security control. During our investigation, we observed a connection attempt from IP 85[.]209[.]11[.]108 to internal IP 25[.]523[.]15[.]215 with a request /webtools/control/ping?USERNAME=&PASSWORD=&requirePasswordChange=Y. According to OSINT, the external IP address is malicious in nature. Internal IP is not a managed host in your estate which limits our visibility into the events. Based on these findings, please see our recommendations below.

Recommendations

  • Protect the device IP 25[.]523[.]15[.]215 with MDR, if possible.
  • Block the IP 85[.]209[.]11[.]108 on your network perimeter firewall.

The customer confirmed that they blocked the IP address to prevent further intrusion.