Organizations leveraging Fortinet FortiGate or Citrix Netscaler technologies should be aware of active exploitation attempts originating from the IP range 178.22.24.0/24, attributed to AS209290 (GALEON-AS), a network registered to Galeon LLC, based in Moscow, Russia.
Security analysts have observed sustained malicious activity from this range, with evidence suggesting an automated campaign aimed at vulnerable perimeter systems.
Indicators of Compromise (IOCs)
Sample IP addresses involved in the attack activity:
CopyEdit178.22.24.11
178.22.24.12
178.22.24.13
178.22.24.14
178.22.24.15
178.22.24.17
178.22.24.18
178.22.24.20
178.22.24.21
178.22.24.23
178.22.24.24
All of the above belong to the subnet 178.22.24.0/24, which should be treated as hostile and blocked where appropriate.
Associated Vulnerabilities
This threat activity aligns with known exploit patterns targeting the following critical vulnerabilities:
Fortinet
- CVE-2023-27997 — FortiOS & FortiProxy SSL-VPN RCE (“XORtigate”)
[Unauthenticated RCE via heap-based buffer overflow]
[CVSS: 9.8] - CVE-2022-40684 — FortiOS & FortiProxy Authentication Bypass
[Enables attacker to modify system configurations via crafted requests]
[CVSS: 9.6]
Citrix Netscaler
- CVE-2023-3519 — Citrix ADC and Gateway RCE
[Unauthenticated code execution vulnerability commonly exploited in the wild]
[CVSS: 9.8] - CVE-2022-27510/27518 — Authorization bypass and sensitive information disclosure
[Known to be chained in multi-stage attacks]
These vulnerabilities have been actively weaponized by threat actors in past campaigns and are being used in the wild against unpatched systems.
Threat Intelligence Profile
- AS Number: AS209290
- Net Range: 178.22.24.0/24
- Registrant: Galeon LLC, Moscow, Russia
- Abuse Contact: info@galeonllc.ru
- Registry Source: RIPE NCC
- TTPs Observed:
- Automated scanning and exploit delivery
- Possible reverse shell attempts post-exploitation
- TLS-based obfuscation over non-standard ports
Multiple IPs within this range have been listed in various public and private threat feeds including abuse.ch, GreyNoise, and Shadowserver over the past 30 days.
Snort / Suricata / YARA Detection
For organizations with internal detection capabilities, the following signatures may help in identifying related activity:
Snort/Suricata (Sample)
snortCopyEditalert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"Potential Fortinet SSL-VPN Exploit Attempt"; flow:to_server,established; content:"POST"; http_method; content:"/remote/login"; http_uri; classtype:attempted-admin; sid:20250728; rev:1;)
YARA (Simplified Sample)
yaraCopyEditrule Fortinet_SSLVPN_Exploit
{
meta:
description = "Detects known exploit strings targeting Fortinet SSL-VPN"
author = "Critical Path Security"
strings:
$a = "POST /remote/login" ascii
$b = "vpnuser"
condition:
all of them
}
These signatures are intended as high-level examples and should be refined and tested before production use.
Recommended Mitigations
Critical Path Security advises the following:
- Immediately block 178.22.24.0/24 at all external-facing firewalls and IPS devices.
- Patch Fortinet and Citrix appliances against the CVEs listed above. Prioritize firmware and configuration audits.
- Enable logging and monitoring on SSL VPN portals and ADC services.
- Correlate connection attempts from this IP block with user activity and system changes.
- Deploy threat detection rules via Suricata, Snort, or your preferred IDS/IPS where possible.
Organizations using third-party managed services should also coordinate with their providers to ensure protections are in place.
Conclusion
This campaign demonstrates the persistent and opportunistic nature of threat actors seeking to exploit unpatched edge infrastructure. With Fortinet and Citrix systems frequently targeted in ransomware precursors and access brokering schemes, the risk level is high.
Organizations unable to internally manage this threat exposure should consider leveraging Managed Detection and Response (MDR) or Extended Detection and Response (XDR) platforms.
If your team requires additional guidance, IOC analysis, or immediate remediation assistance, contact Critical Path Security today.