SentinelOne’s DFIR team has identified a series of compromises involving FortiGate Next-Generation Firewall (NGFW) appliances, where attackers exploit vulnerabilities such as CVE-2025-59718 and CVE-2026-24858 to gain initial access. Once inside, threat actors typically extract configuration files to harvest service account credentials, enabling lateral movement within the victim's network. The investigations highlighted a lack of sufficient log retention on edge devices, which often complicates the reconstruction of the initial breach.
The report details two specific incidents: one where attackers enrolled rogue workstations into Active Directory to bypass security controls, and another where they deployed legitimate RMM tools like Pulseway and MeshAgent to facilitate the theft of the NTDS.dit file. To defend against these sophisticated attacks, organizations are advised to implement strict administrative access controls, maintain robust patching schedules, and ensure that logs are offloaded to a SIEM for long-term retention and automated threat detection.
Top comments (0)