A threat actor exploited known vulnerabilities to gain access to Fortinet devices with a technique to maintain access to vulnerable FortiGate devices.

In a statement, Fortinet said that the attacker took advantage of a “known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices.” This was after the original access vector was locked down.

It said: “Immediately upon discovery, we activated our PSIRT response efforts, developed necessary mitigations and have communicated with affected customers. We continue to work directly with those customers to ensure they have taken steps to remediate the issue.”

Modification

The technique involved creating a symbolic link, connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN.

Fortinet explained that this modification took place in the user filesystem and avoided detection. “Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”

Fortinet has released a number of mitigations, and recommended all customers to upgrade to recommended versions regardless.

Unfortunate Saga

Benjamin Harris, CEO of watchTowr, said: “While this is an unfortunate saga for Fortinet, in a series of sagas, Fortinet is doing the right thing here with proactive and transparent communication - this should be commended.

“Worryingly, though, this builds on a concern we’ve seen across the industry for two important reasons. First, in the wild exploitation is becoming significantly faster than organisations can patch. More importantly, attackers are demonstrably and deeply aware of this fact. Second, and more terrifying, we have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organisations.

“This is straight-up terrifying. In high-profile situations, we may be entering a world where even updates, patching, and factory resets are insufficient to consider restoring appliance integrity.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.