Pakistan issues Fortinet cybersecurity warning
- Pakistan's National CERT advises critical sectors to secure Fortinet systems against widespread global intrusions threatening sensitive data
ISLAMABAD: Pakistan’s National Computer Emergency Response Team (National CERT) has issued a critical cybersecurity advisory warning government institutions, banks, telecom operators, energy companies and other critical infrastructure operators to immediately secure their Fortinet firewall and virtual private network (VPN) systems after a massive global cyber intrusion campaign compromised nearly 74,000 internet-facing devices across 194 countries.
In its advisory, National CERT said security researchers had identified evidence of a widespread compromise affecting approximately 73,932 Fortinet FortiGate firewall instances, exposing administrative credentials and allowing unauthorized access to enterprise and critical infrastructure networks worldwide.
The advisory warned that the campaign poses an elevated cyber risk to Pakistan’s public and private sectors, particularly organizations using internet-exposed Fortinet FortiGate firewalls and SSL VPN gateways.
According to National CERT, the ongoing campaign is believed to be orchestrated by organized cybercriminal groups conducting large-scale credential harvesting, brute-force attacks, VPN credential cracking and post-compromise lateral movement to infiltrate internal networks.
The advisory said attackers exploited publicly accessible FortiGate management interfaces and legacy credential storage mechanisms to obtain administrative access and establish persistent footholds inside victim organizations.
“The scale, sophistication and active exploitation observed require organizations utilizing Fortinet FortiGate infrastructure to immediately assess their exposure, implement remediation measures and conduct threat-hunting activities,” the advisory stated.
National CERT cautioned that organizations failing to investigate and remediate affected systems could face unauthorized administrative access, compromise of VPN gateways, theft of sensitive credentials, Active Directory breaches, persistent backdoor installation, data exfiltration and manipulation of firewall security policies.
It further warned that compromised networks could expose sensitive corporate and government information, disrupt critical services and create supply-chain risks through unauthorized access to third-party systems.
The advisory identified government agencies, telecommunications companies, financial institutions, information technology firms, healthcare providers, educational institutions, manufacturing facilities, industrial automation operators, logistics companies and other critical infrastructure organizations among the sectors most at risk.
To detect possible compromise, National CERT urged organizations to investigate administrator logins from unusual geographic locations, after-hours access, newly created administrator accounts, suspicious VPN logins, unexpected firewall rule changes, unexplained privilege escalation, unusual outbound network traffic and signs of lateral movement within Active Directory environments.
As part of its emergency response guidance, National CERT directed organizations to immediately remove FortiGate management interfaces from public internet exposure, upgrade to the latest supported FortiOS versions, reset all administrator passwords and enforce multi-factor authentication (MFA) for both administrative and VPN accounts.
The advisory also recommended restricting management access to trusted networks, reviewing firewall policies and administrator accounts, enabling enhanced logging and continuously monitoring systems for suspicious activity.
Organizations have been advised to assume compromise if suspicious administrator logins are detected, rotate all administrative and service account credentials, investigate firewall and VPN logs, audit Active Directory environments for lateral movement and rebuild affected devices where compromise cannot be ruled out with confidence.
National CERT has categorized exposure reduction, credential rotation, MFA enforcement and threat hunting as critical priority actions, while configuration audits, Active Directory reviews, incident reporting and continuous monitoring have been classified as high-priority measures.
The cyber watchdog urged organizations to immediately report any suspected firewall compromise, unauthorized administrative access, VPN abuse or related malicious activity to National CERT through its incident reporting mechanisms, warning that the incident should be treated as a potential compromise rather than a routine software vulnerability requiring standard patch management.






















Comments