Attackers Target FortiGate Devices With New Post-Exploit Technique

A threat actor has been observed exploiting several known Fortinet vulnerabilities and using a new technique post-exploitation to maintain access to the compromised devices long term. The attacks have targeted a small subset of Fortinet customers and the company said it has communicated with them about the intrusions. 

The exploitation targeted three known bugs: CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475. All of those vulnerabilities have been public for some time and the details are well-known. Recently, Fortinet researchers discovered a threat actor exploiting those bugs to gain read-only access to FortiGate devices. The attacks only affected customers who had the SSL-VPN functionality enabled. 

“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection,” the Fortinet advisory says. 

“Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”

After discovering the intrusions, Fortinet researchers created a signature to identify and remove the malicious symbolic link from the affected devices and also released software updates to deploy additional mitigations. The company recommends that customers upgrade to 7.6.2, 7.4.7, 7.2.11 or 7.0.17 or 6.4.16.

“With regard to this incident, we have communicated directly with identified impacted customers who need to take action based on available telemetry. However, we recommend all customers to upgrade to one of these recommended versions regardless,” the advisory says.