ThreatsDay Debrief: The 'Sloppy' Persistence of FortiGate RaaS & Citrix
Hey everyone,
Caught the latest ThreatsDay Bulletin over morning coffee, and the description of this week's vibe as "nothing loud, nothing breaking everything at once" really hit home. But that silence is deceptive. The report highlights active exploitation of FortiGate devices via RaaS and ongoing Citrix shenanigans.
It's concerning because these aren't sophisticated zero-days; they are often configuration gaps or older CVEs that shouldn't work anymore but do. The FortiGate RaaS (Ransomware-as-a-Service) model is particularly worrying—it lowers the barrier to entry for script kiddies to target perimeter appliances effectively.
For those running FortiOS, ensure you aren't exposing management interfaces to the WAN. If you are, you need better visibility. A basic KQL query to hunt for suspicious management login attempts on your FortiGate firewalls might look like this:
DeviceNetworkEvents
| where DeviceVendor == "Fortinet"
| where DestinationPort in (443, 80, 22)
| where Activity == "LoginFailed" or Activity == "AccessDenied"
| summarize Count = count() by SourceIP, DestinationIP, Activity
| where Count > 5
Regarding the Citrix exploits mentioned, it feels like we are stuck in a loop of ADC and Gateway vulnerabilities. Patching is painful, leading to long exposure windows.
How are you all handling appliance patching fatigue? Are you pushing vendors harder for immutable, auto-patching appliances, or just relying on strict network segmentation to buy time?
The FortiGate RaaS angle is very real. In my last external pentest, I found a FortiManager instance exposed via an old CVE (CVE-2023-xxxx) simply because the client was terrified of a firmware upgrade breaking their VPN mesh during a busy quarter.
Automation helps. I've been using nuclei templates specifically for these appliance vulnerabilities before even attempting manual exploitation. It saves hours and highlights exactly what 'sloppy' configuration is exposed to the internet.
Solid query for the SIEM. We've taken it a step further by correlating those failed logins with GeoIP data. If we see a login attempt from a country we don't operate in, we auto-block the IP at the edge via the firewall API immediately.
As for the Citrix issues, we've moved our ADC instances behind a ZPA (Zero Trust Access) gateway. It adds latency, sure, but it effectively hides the management interface from the wild west of the public internet.
Don't sleep on the 'MCP Abuse' mentioned in the bulletin snippet either. With the rise of AI agents, the Model Context Protocol is becoming a massive attack surface if not segmented correctly. We saw a proof-of-concept last week where an unauthenticated MCP endpoint was used to extract training data.
For appliances, segmentation is the only way to survive the patch gap. Treat your management VLANs like they are the Crown Jewels.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access