Fortinet revealed that threat actors have found a way to maintain read-only access to vulnerable Fortigate devices even after the initial access vector used to compromise the device was patched.
The attacker is believed to have exploited known and currently patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.
“Threat actors are using known vulnerabilities to implement read-only access to vulnerable Fortigate devices,” the network security company said in an advisory released Thursday. “This was achieved by creating a symbolic link connecting the user file system and the root file system in the folder that is used to serve the language files for SSL-VPN.”
Fortinet said the changes were made in the user file system, allowing detection to be avoided, and symbolic links (aka Symlinks) remained even after the security holes responsible for initial access were inserted.
This allowed threat actors to maintain read-only access to files on the device’s file system, including the configuration. However, customers who have never enabled SSL-VPN will not be affected by this issue.
It is not clear who is behind the activity, but Fortinet said the investigation shows that it is not intended for a particular region or industry. He also said it directly notified customers affected by the issue.
A series of software updates for Fortios have been deployed as a further mitigation to prevent such issues from occurring again –
Fortios 7.4, 7.2, 7.0, 6.4 – Symlink was flagged as malicious, and is automatically removed by Antivirus Engine Fortios 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16 – Symlink has been removed and SSL -VPN UI has been fixed to prevent such malicious links.
Customers are advised to update their instances to Fortios versions 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16, review the device configuration, potentially corrupt all configurations and perform appropriate recovery steps.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its own advisory, urging users to reset their published credentials and consider disabling the SSL-VPN feature until they can be patched. In a similar bulletin, the French Computer Emergency Response Team (CERT-FR) said it was aware of the compromise that dates back to early 2023.
In a statement shared with the hacker’s news, Watchtowr CEO Benjamin Harris said the incident is concerning for two important reasons.
“Firstly, wild exploitation is much faster than organizations can patch,” Harris said. “More importantly, the attackers are clearly and deeply aware of this fact.”
“Secondly, and even more frightening, we’ve seen it many times after the rapid exploitation designed to help attackers withstand the patch, upgrade and factory reset process, and the rapid exploitation designed to help attackers rely on to keep functioning.”
Source link
