Attackers have employed a sophisticated method to maintain remote access to compromised Fortinet devices even after the devices have been patched. According to a recent report, attackers have planted symbolic links on the hacked devices, allowing them to exploit known vulnerabilities and retain remote, read-only access to FortiGate next-generation firewalls.
Fortinet, the vendor of the compromised devices, disclosed that threat actors utilized a known vulnerability to establish read-only access to vulnerable FortiGate devices by creating a symbolic link connecting the user filesystem with the root filesystem. This modification, which took place in the user filesystem, remained undetected even after the devices were updated with patches addressing the original vulnerabilities. As a result, threat actors were able to continue accessing files on the device’s file system, potentially including sensitive configurations.
The Shadowserver Foundation, conducting internet scans, identified approximately 1,700 compromised devices in the United States, with significant numbers also found in Taiwan, China, Japan, and France, among other countries. This increasing count of affected devices highlights the widespread impact of the attack.
Benjamin Harris, CEO of watchTowr, emphasized the concerning trend of attackers maintaining persistence even after vulnerabilities are patched. He noted that attackers deploy backdoors and capabilities to survive patching and maintain access to compromised organizations, underscoring the need for enhanced security measures.
The attack on Fortinet devices reflects a broader trend where hackers, particularly nation-state threat actors, target network edge devices as entry points into corporate networks. Despite being designed for network security, edge devices often have slow patch rates and harbor numerous zero-day vulnerabilities, making them attractive targets for attackers.
The vulnerabilities exploited by attackers through malicious symbolic links include heap-based buffer overflow vulnerabilities in FortiOS SSL-VPN, FortiProxy SSL-VPN, and FortiProxy. The U.S. Cybersecurity and Infrastructure Security Agency issued an alert warning about the attack vector’s potential impact on device file systems.
Fortinet has taken proactive measures to mitigate the attack, recommending that customers upgrade FortiOS to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16. These updates include removing malicious links, updating the SSL-VPN user interface, and enhancing antivirus and intrusion prevention systems to block the attack vector.
While fully patched devices may still be vulnerable, Fortinet advises organizations to review device configurations, consider them potentially compromised, and follow recovery guidance, including resetting credentials if necessary. The importance of keeping devices up to date and implementing rapid patching to thwart cyber threats is emphasized to prevent future security breaches.
In conclusion, the attack on Fortinet devices underscores the evolving nature of cyber threats and the need for organizations to remain vigilant, update their security measures, and respond promptly to vulnerabilities to safeguard their networks and data.