This threat intelligence report details network reconnaissance activity detected by IDS systems, focusing on attempts to exploit CVE-2023-27997, a known vulnerability in Fortigate VPN devices that allows unauthenticated attackers to bypass authentication and execute arbitrary commands. Indicators include repeated GET requests to the vulnerable endpoint, inbound requests to hidden environment files, and suspicious user-agent strings associated with InfoBot malware. Although the vulnerability is publicly disclosed and patched, ongoing scanning suggests attackers are still probing for vulnerable systems. The report does not indicate active exploitation or ransomware use but highlights the importance of monitoring and securing Fortigate VPNs and web services against reconnaissance and potential exploitation.

Successful exploitation of CVE-2023-27997 could allow attackers to bypass authentication on Fortigate VPN devices, potentially leading to unauthorized internal network access, data breaches, lateral movement, and further compromise. Reconnaissance targeting hidden environment files may expose sensitive configuration or credential information, increasing the risk of subsequent attacks. Suspicious InfoBot user-agent activity suggests automated scanning that could precede targeted attacks or malware deployment. While current activity is low-severity reconnaissance without known active exploits, unpatched or exposed Fortigate VPNs remain at risk of significant compromise if exploited.

A fix for CVE-2023-27997 is available; organizations should ensure all Fortigate VPN devices are updated to the latest firmware versions that address this vulnerability. Network administrators should monitor IDS/IPS alerts for repeated requests to /remote/logincheck and investigate suspicious activity promptly. Access to VPN management interfaces should be restricted to trusted IP addresses, and multi-factor authentication should be implemented to reduce unauthorized access risk. Web servers must be configured to deny access to hidden environment files using proper permissions and server rules. Deploying web application firewalls (WAFs) to detect and block suspicious requests targeting vulnerable endpoints is recommended. Regularly audit logs for suspicious user-agent strings like InfoBot and block malicious IP addresses at the firewall. Conduct threat hunting focused on reconnaissance indicators and maintain up-to-date threat intelligence feeds to stay informed of emerging threats.