This threat report details network reconnaissance detected by IDS systems focusing on Fortigate VPN devices and git repository servers. The key technical detail involves repeated GET requests to the /remote/logincheck endpoint on Fortigate VPNs, linked to CVE-2023-27997, a vulnerability allowing authentication bypass or denial of service. The reconnaissance also includes HTTP probes against git repositories, which may lead to information disclosure if improperly secured. No active exploitation is reported, but the scanning activity signals attacker interest in identifying vulnerable targets. Fortinet has issued security advisories for CVE-2023-27997, recommending firmware updates. The threat actors used specific IP addresses for these probes, and the activity was observed across multiple countries.

If exploited, CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN appliances or cause denial of service, potentially leading to unauthorized network access, data breaches, or service disruptions. The reconnaissance activity itself does not cause direct harm but indicates active scanning that could precede exploitation attempts. The git repository probes could expose sensitive source code or credentials if repositories are publicly accessible or misconfigured. No known active exploitation was reported at the time of this alert, and the overall impact is currently low but could increase if vulnerabilities remain unpatched.

Fortinet has released official security advisories addressing CVE-2023-27997; organizations should verify and update all Fortigate VPN appliances to the latest firmware versions. Implement strict access controls on VPN management interfaces, including limiting access to trusted IPs and enforcing multi-factor authentication. Monitor VPN login endpoints for unusual or repeated access attempts using rate limiting and anomaly detection. Audit git repositories and associated web servers to ensure no sensitive information is publicly accessible and enforce proper access controls. Maintain updated network intrusion detection and prevention systems to detect and block known scanning and exploitation attempts. Conduct threat hunting and log analysis focused on reconnaissance indicators related to VPN and repository access. Train security teams on indicators of compromise related to Fortigate VPN exploitation attempts and git repository probing. These measures address the specific threat vectors identified and are recommended beyond generic security practices.