Fortinet, a leading cybersecurity company, has uncovered a threat actor who has been exploiting known vulnerabilities in FortiOS to breach FortiGate devices and maintain undetected access. This threat actor has utilized a clever technique involving creating a symbolic link to maintain read-only access to files on the device’s file system, even after the original vulnerabilities were addressed.
Fortinet’s CISO, Carl Windsor, explained that the threat actor’s post-exploitation technique involved creating a symbolic link connecting the user filesystem and the root filesystem in a folder used for SSL-VPN language files. This modification allowed the threat actor to maintain access to files on the device’s file system, including configurations, without being detected. Despite updates to FortiOS that fixed the original vulnerabilities, the symbolic link could remain, providing ongoing access for the threat actor.
The threat actor has been exploiting CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to achieve remote code execution on vulnerable devices. Fortinet has released updated versions of FortiOS that automatically remove the malicious symbolic link and prevent further exploitation through the SSL-VPN user interface. Additionally, they have provided AV/IPS signatures to detect and clean the symbolic link from impacted devices.
Fortinet has issued a warning to customers who may have been affected by the threat actor’s activities, advising them to upgrade to the latest FortiOS versions, review device configurations, and take steps to secure their systems. The German Federal Office for Information Security (BSI) has also issued a security notice urging organizations to check for compromises and take protective measures.
In France, the French Computer Emergency Response Team (CERT-FR) has uncovered a widespread campaign targeting Fortinet devices through the same vulnerabilities. They recommend conducting a full investigation to determine the extent of the compromise and taking action to secure the network. Additionally, they advise on evaluating access credentials to prevent further leaks of sensitive data.
Despite security warnings and updates from Fortinet, vulnerable devices are still at risk. In Germany alone, nearly 700 FortiGate devices remain vulnerable to CVE-2024-21762. This highlights the importance of promptly applying patches and implementing additional security measures to protect against ongoing threats.
In conclusion, the threat actor’s exploitation of FortiOS vulnerabilities to breach FortiGate devices underscores the importance of constant vigilance and proactive security measures. Organizations must remain vigilant, apply updates promptly, and conduct thorough security assessments to protect against evolving cybersecurity threats.