Fortinet has recently identified a sophisticated post-exploitation technique employed by threat actors to maintain unauthorized access to FortiGate devices, even after the original vulnerabilities were patched. This discovery underscores the persistent risks associated with unpatched systems and highlights Fortinet’s commitment to transparency and rapid response.
Exploitation of Known Vulnerabilities
The threat actors initially exploited known vulnerabilities, specifically:
– CVE-2022-42475: Associated with FG-IR-22-398.
– CVE-2023-27997: Linked to FG-IR-23-097.
– CVE-2024-21762: Potentially related to FG-IR-24-015, though this connection remains unconfirmed.
These vulnerabilities provided the attackers with initial access to FortiGate devices.
Innovative Post-Exploitation Technique
In a novel approach, the attackers created a symbolic link between the user and root filesystems within a directory used for SSL-VPN language files. This manipulation granted them read-only access to device files, including sensitive configurations, without triggering standard detection mechanisms. Alarmingly, this symbolic link could persist even after the devices were updated to address the original vulnerabilities, leaving systems exposed to continued exploitation.
Scope of the Attack
Fortinet’s investigation, supported by internal telemetry and third-party collaboration, confirmed that this malicious activity was not confined to a specific region or industry. Notably, customers who had never enabled SSL-VPN on their devices were unaffected by this issue.
Fortinet’s Response and Mitigation Measures
Upon identifying this advanced technique, Fortinet’s Product Security Incident Response Team (PSIRT) took immediate action:
1. Detection and Removal: Released antivirus and intrusion prevention system (AV/IPS) signatures to detect and eliminate the malicious symbolic link.
2. Firmware Updates: Modified FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16 to remove the symbolic link and secure SSL-VPN functionality.
3. Customer Notification: Directly informed affected customers, urging them to upgrade to the latest firmware releases, review their configurations, and treat existing setups as potentially compromised.
Recommendations for FortiGate Users
Fortinet strongly advises all customers, regardless of whether they have been impacted, to:
– Upgrade Firmware: Update to the patched FortiOS versions mentioned above.
– Review Configurations: Examine device configurations for any unauthorized changes.
– Follow Recovery Steps: Adhere to the recovery procedures outlined in Fortinet’s community resources.
The urgency of timely updates is underscored by Fortinet’s 2H 2023 Global Threat Landscape Report, which found that threat actors exploit known vulnerabilities within an average of 4.76 days of public disclosure.
Enhanced Security Features
To bolster defenses against such sophisticated attacks, Fortinet has introduced several enhanced security features in recent updates, including:
– Compile-Time Hardening: Strengthening the software development process to reduce vulnerabilities.
– Virtual Patching: Applying patches to virtual environments to protect against known threats.
– Firmware Integrity Validation: Ensuring the authenticity and integrity of firmware updates.
– Automated Upgrade Tools: Implementing tools like Uninterrupted Cluster Upgrade and Automatic Patch Upgrades to streamline the update process.
Industry-Wide Collaboration
Fortinet continues to advocate for industry-wide collaboration to strengthen cybersecurity standards. The company emphasizes that staying vigilant and up to date is the best defense against today’s evolving cyber threats.
Conclusion
This incident reflects the evolving tactics of threat actors and the critical need for robust cyber hygiene. Fortinet remains committed to supporting its customers with proactive solutions and transparent communication to stay ahead of these threats.
