Fortinet has discovered that threat actors have managed to maintain read-only exposure to FortiGate products even after the initial entry matrix used to break the devices was patched.
The attackers are believed to possess leveraged known and now-patched security defects, including, but not limited to, , , and .
The network security company stated in an advisory released on Thursday that” a threat professional used a known risk to apply read-only access to vulnerable FortiGate equipment.” In a files used to assist vocabulary files for the SSL-VPN, a symbolic link was created that connects the consumer file system and the root file system.
According to Fortinet, the modifications were made in the user file system and managed to obstruct detection, leaving the symbolic link ( also known as symlink ) unaltered despite the removal of the security flaws that caused the initial access.
This in turn made it possible for the threat actors to keep read-only exposure to configurations and files on the phone’s file structure. Buyers who have never enabled SSL-VPN are hardly affected by the problem, though.
Although it’s unclear who is responsible for the exercise, Fortinet claimed that its investigation showed that it wasn’t directed at any particular industry or region. Additionally, it added that it had already notified buyers who had been affected by the problem.
A number of software changes to FortiOS have been released as additional workarounds to stop these issues from occurring again.
- FortiOS 7.4, 7.2, 7.0, and 6.4- The symlink was flagged as harmful so that the virus website instantly removes it.
- FortiOS 7.6.2, 7.4.7, 7.2.11 &, 7.0.17, 6.4.16- The symlink was removed and SSL-VPN UI has been modified to reduce the offering of quite destructive symbolic links
Consumers are advised to update their instances to FortiOS versions 7.6.2, 7.4.7, 7.2.11. &, 7.0.17, or 6.4.16, evaluation system configurations, and handle all configurations as potentially compromised and carry out suitable treatment procedures.
The U.S. Cybersecurity and Infrastructure Security Agency ( CISA ) has an advisory of its own, urging users to reset sensitive credentials and to think about blocking SSL-VPN functionality until the patches are applied. In a similar bulletin, the Computer Emergency Response Team of France ( CERT-FR ) stated that it is aware of compromises that date back as far as 2023.
WatchTowr CEO Benjamin Harris expressed concern about the event in a statement shared with The Hacker News for two crucial factors.
First, Harris noted that “in the wild abuse is occurring much more quickly than organizations may fix.” More importantly, adversaries are clear that this reality is important.
We have seen” second, and more terrifying,” as well as” second, and more gruesome,” attackers frequently employ capabilities and backdoors after performing rapid exploitation to survive the organizations ‘ reliance on the patching, upgrade, and factory reset procedures to maintain persistence and access to compromised organizations.