Fortinet has revealed that the danger actors have discovered a way to read for weakened foretegate devices even after the initial access vector used to dissolve the equipment.
The attackers are believed to have known and now packed security flaws, including, but not limited by CVE -2022-42475, CVE -2023-27997, and CVE -2024-21762.
The network security company said in a advisor issued on Thursday, “A danger actor used a known vulnerability, which only uses a known vulnerability to read to read up to the weakened foretegate devices.” “It was obtained through creating a symbolic link connecting the user file system and root file system in the folder used to serve language files for SSL-VPN.”
Fortinet stated that the amendments were in the user file system and managed to find out, leaving the symbolic links (aka Simlink) left behind even after the security holes responsible for the initial access.
This, in turn, enables the danger actors only to maintain reed-access to files on the device’s file system, including the configuration. However, customers who have never enabled SSL-VPN are not affected by the issue.
It is not clear who is behind the activity, but Fortinet said that its investigation indicated that it was not aimed at a specific area or industry. It also said that it directly informed the customers who were affected by the issue.
As a further decrease to prevent such problems from reworing, a series of software updates for Fortios have been rolled out –
- FortiOS 7.4, 7.2, 7.0, 6.4 – The symlink was marked as malicious so that it would be automatically removed by the antivirus engine
- Fortios 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 – The Simlink was removed and SSL-VPN UI has been modified to prevent the service of such malicious symbolic links
Customers are advised to review their instance FortiOS version 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, device configuration, and consider all configurations as possible compromise and as appropriate recovery stages.
The US Cyber Security and Infrastructure Security Agency (CISA) has issued a advice of its own, urging users to reset the credentials exposed and disable SSL-VPN functionality until the patch can be implemented. In a similar bulletin, France’s Computer Emergency Response Team (CERT-FR) said that it is known to compromise with all the dating in early 2023.
In a statement shared with hacker news, Watchtower CEO Benjamin Harris said the incident is a concern for two important reasons.
“First, wild exploitation is getting much faster than outfits in wild exploitation,” Harris said. “More importantly, the attackers know more deeply about this fact.”
“Second, more terrible, we have seen, many times, the attackers have deployed capabilities and backdoor after rapid exploitation designed to survive patching, upgrades and factory reset processes, organizations have trusted to reduce these conditions to maintain firmness and compromise organizations.”
Harris also stated that the deployment of backdoor has been identified in the Watchtower Client Base, and they are “seeing the impact on organizations that will say many clearly important infrastructure.”
