Alert, readers of HackingBlogs — There have recently been reports of a significant wave of Fortinet device hacks. The Shadowserver Foundation claims that a threat actor has exploited known vulnerabilities to compromise more than 14,000 Fortinet devices globally.
Treat all configuration as potentially compromised,”
National Cyber Security Centre of New Zealand warns.
The use of a symlink-based persistence technique, which enables the attackers to sustain long-term access, is even more alarming. This is a planned, worldwide attack that many people are unaware of; it is not just another widespread exploit.
What Did Shadowserver Say About the Fortinet Attack?
“Even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations,”
Fortinet’s advisory reads.
A critical-level compromise affecting more than 14,000 Fortinet devices globally has been reported by the Shadowserver Foundation. Due to known but unpatched vulnerabilities in these systems, attackers were able to install a symlink-based persistence method, which enables them to continue having access for an extended period of time without being discovered.
In this instance, Fortinet devices were marked as “fortinet-compromised” in Shadowserver’s threat tracking systems, and the attacks are a part of a larger pattern of web-accessible compromises (e.g., via webshells or implants). Shadowserver advises users to act responsibly and handle these systems as though they have more undetected bugs.
Fortinet’s Threat Actor Analysis: Key Takeaways You Should Know
A thorough examination of recent attacks against Fortinet’s FortiGate devices was published, and it exposed a clever post-exploitation method that let threat actors keep access long after vulnerabilities were fixed.
What Did the Threat Actor Do?
Devices without SSL-VPN enabled are not affected.
- Took advantage of known, unpatched vulnerabilities (such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015).
- The user and root filesystems in a hidden folder used by the SSL-VPN service were connected via a symbolic link (symlink).
- Potentially critical configuration files were accessible to them read-only because to this symlink.
- Despite patching, this malicious link may continue to exist secretly, knowingly exposing systems.
Fortinet’s Mitigation & Response
With AV/IPS signatures, enhanced firmware protections, and direct customer interaction, Fortinet reacted quickly. This is what they advise:
- Select a version from 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 and upgrade right away.
These versions automatically identify the symbolic link and eliminate it. - Examine and scan every device’s settings.
- Consider that configuration data might have been accessed; take precautions to confirm and restore from fresh backups.
