The threat centers on a server linked to the KeyPlug malware infrastructure that was briefly exposed, revealing a suite of tools used in active cyber operations against a major Japanese company. The exposed tools included exploit scripts targeting Fortinet firewall and VPN vulnerabilities, specifically CVE-2024-23108 and CVE-2024-23109, which allow attackers to bypass authentication or execute arbitrary code. Additionally, PHP webshells were found, enabling persistent remote access and command execution within the victim’s network. The server also contained network reconnaissance utilities designed to fingerprint content delivery networks (CDNs) and probe authentication portals, indicating a methodical approach to internal network mapping and session management post-compromise. The adversary behind this activity is identified as RedGolf, a group known for sophisticated targeted attacks. Although the exposure lasted less than a day and no widespread exploitation is currently confirmed, the incident provides valuable insight into the attacker’s workflow from initial reconnaissance to maintaining access. The presence of encrypted command execution tools suggests attempts to evade detection and maintain stealth. This threat highlights the ongoing risk posed by unpatched Fortinet devices, which are widely used globally, including in Europe, for firewall and VPN services. The operational details exposed underscore the importance of continuous monitoring and rapid patch deployment to defend against advanced persistent threats leveraging such vulnerabilities.

For European organizations, the exploitation of Fortinet firewall and VPN vulnerabilities could lead to unauthorized network access, data exfiltration, and disruption of critical services. Given Fortinet’s significant market share in Europe’s enterprise and government sectors, successful exploitation could compromise sensitive information and internal systems. The use of webshells and encrypted command utilities enables attackers to maintain persistence and move laterally within networks, increasing the risk of widespread compromise. Organizations in sectors such as finance, telecommunications, and critical infrastructure are particularly at risk due to their reliance on Fortinet products and the strategic value of their data. The exposure of internal portals and authentication mechanisms could facilitate credential theft and privilege escalation. Although no active widespread exploitation is confirmed, the demonstrated attacker capabilities and tooling suggest a high potential impact if leveraged in targeted campaigns against European entities. The incident also raises concerns about supply chain and third-party risk, as attackers may target partners or vendors using similar infrastructure.

European organizations should immediately verify and apply patches for Fortinet vulnerabilities CVE-2024-23108 and CVE-2024-23109 to close known exploit vectors. Conduct comprehensive network scans to detect any signs of webshells or unauthorized scripts, focusing on internal portals and authentication systems. Implement strict network segmentation to limit lateral movement opportunities for attackers who gain initial access. Enhance logging and monitoring for unusual command execution patterns, especially encrypted or obfuscated traffic indicative of command and control activity. Restrict access to Fortinet management interfaces using multi-factor authentication and IP whitelisting. Regularly audit and update VPN configurations to ensure secure authentication and session management. Employ threat hunting exercises to identify any indicators of compromise related to KeyPlug or RedGolf activity. Collaborate with threat intelligence providers to stay informed about emerging tactics and indicators. Finally, conduct targeted user awareness training on phishing and social engineering, as initial access vectors may involve credential compromise.