The KeyPlug-linked server incident involved the brief exposure of a malicious infrastructure associated with the KeyPlug malware family, revealing active tooling used by an advanced adversary, identified as RedGolf. This infrastructure was operational for less than a day but provided significant insight into the attacker’s operational workflow. The exposed server contained exploit scripts targeting Fortinet firewall and VPN products, specifically related to CVE-2024-23108 and CVE-2024-23109, which are recent vulnerabilities affecting Fortinet devices. Additionally, the server hosted a PHP webshell, network reconnaissance tools, CDN fingerprinting utilities, and encrypted command execution scripts. These tools collectively indicate a multi-stage attack process: initial reconnaissance to identify vulnerable Fortinet devices and internal portals, exploitation of these vulnerabilities to gain unauthorized access, deployment of webshells for persistent access, and post-compromise session management to maintain control over the victim environment. The presence of encrypted command execution utilities suggests attempts to evade detection and maintain stealth. The targeting of authentication and internal portals of a major Japanese company highlights a focused campaign likely aimed at high-value corporate or strategic assets. Although the server was exposed only briefly, the artifacts provide a rare and valuable glimpse into the tactics, techniques, and procedures (TTPs) of this threat actor, emphasizing the sophistication and targeted nature of the campaign. No known exploits in the wild have been reported yet, but the availability of these tools increases the risk of exploitation by other threat actors.

For European organizations, the exposure of Fortinet exploit scripts and webshells linked to KeyPlug malware represents a significant threat, especially for entities relying on Fortinet firewall and VPN solutions. Successful exploitation could lead to unauthorized access to internal networks, compromising confidentiality, integrity, and availability of sensitive data and critical systems. Given the tools include network reconnaissance and session management utilities, attackers could perform lateral movement, data exfiltration, and persistent espionage activities. This is particularly concerning for sectors with high-value intellectual property, critical infrastructure, or sensitive personal data, such as finance, telecommunications, healthcare, and government agencies. The medium severity rating reflects that while exploitation requires some sophistication, the availability of exploit scripts lowers the barrier for attackers. The targeting of authentication portals also raises the risk of credential theft and subsequent privilege escalation. European organizations with Fortinet devices should be vigilant, as the campaign’s operational details suggest a well-resourced adversary capable of sustained attacks. Additionally, the exposure of these tools may lead to copycat attacks or broader exploitation attempts across Europe.

1. Immediate patching and updating of Fortinet firewall and VPN devices to address CVE-2024-23108 and CVE-2024-23109 vulnerabilities is critical. Even if no official patches are available yet, apply any recommended mitigations or workarounds from Fortinet. 2. Conduct comprehensive network scans to identify any unauthorized webshells or suspicious PHP scripts, especially on internal portals and authentication systems. 3. Implement strict network segmentation and access controls around Fortinet devices and internal portals to limit lateral movement opportunities. 4. Deploy enhanced monitoring and logging focused on Fortinet device logs, VPN access patterns, and unusual command execution activities, leveraging anomaly detection to identify encrypted or obfuscated commands. 5. Review and harden authentication mechanisms, including enforcing multi-factor authentication (MFA) on all VPN and portal access points. 6. Conduct threat hunting exercises using indicators of compromise (IOCs) related to KeyPlug and RedGolf, even though none were explicitly provided, by monitoring for known behaviors such as CDN fingerprinting and encrypted command execution. 7. Educate security teams on the specific TTPs revealed by this exposure to improve incident response readiness. 8. Limit exposure of management interfaces to trusted networks and consider implementing VPN or zero-trust access models for administrative access to Fortinet devices.