An investigation by Fortinet has uncovered a post-exploitation technique used by a threat actor. During this investigation, a threat actor was observed using known vulnerabilities (e.g. FG-IR-22-398, FG-IR-23-097, FG-IR-24-015) to gain access to Fortinet devices.
The targeting of known, unpatched vulnerabilities by a threat actor is not new and has been previously examined. This specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down.
Immediately upon discovery, Fortinet activated its PSIRT response efforts, developed necessary mitigations, and communicated with affected customers. The cybersecurity company says it continues to work directly with those customers to ensure they have taken steps to remediate the issue.
Description
A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN.
This modification took place in the user filesystem and avoided detection. Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.
Notably, if the customer has never had SSL-VPN enabled, then the customer is not impacted by this issue. As part of its investigation, Fortinet performed scans to identify impacted devices using internal telemetry and in collaboration with third-party organisations. The data indicates that this threat actor activity was not targeted to a specific region or industry.
Mitigation
Upon discovering the new technique used by the threat actor, Fortinet took steps to mitigate this issue and balance varying levels of cyber hygiene and challenges that the customer may face. Fortinet mitigation efforts included:
- An AV/IPS signature was created to detect and clean this symbolic link from impacted devices;
- Changes were made to the latest releases to detect and remove the symbolic link and ensure the SSL-VPN only serves the expected files; and
- Proactive communications urging customers to update their devices, carefully balancing communications to protect against further inadvertent compromise while delivering on our commitment to responsible transparency.
- FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled;
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link;
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
- Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16;
- Review the configuration of all devices; and
- Treat all configuration as potentially compromised and follow the recommended steps to recover.
Do I need to upgrade?
It is critically important for all organisations to keep their devices up to date. Various government organisations have reported state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities. In general, the best defence against any known vulnerability is following good cyber hygiene practices, including upgrading.
The 2H 2023 Global Threat Landscape Report from FortiGuard Labs research found that threat actors are taking advantage of a known vulnerability on average 4.76 days after a new vulnerability was publicly disclosed. In this climate, both vendors and customers have a role to play.
Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible transparency in their vulnerability disclosures. With more than 40,000 vulnerabilities recorded in 2024 based on data provided by NIST, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation.
Regarding this incident, Fortinet has communicated directly with identified impacted customers who need to take action based on available telemetry. However, the company recommends all customers to upgrade to one of these recommended versions regardless.
Fortinet has also incorporated changes to further improve security features that address key customer challenges and are available for customers to take advantage of once upgraded to the latest release, including but not limited to:
- Additional compile-time hardening to raise the barrier for attack on products;
- Virtual patching to allow mitigation of issues prior to patching;
- Implementation of firmware integrity validation in hardware (BIOS);
- Introduction of Integrity Measurement Architecture (IMA) / Filesystem Integrity; and
- Auto-updates to seamlessly patch devices against vulnerabilities without administrator intervention.
- Fortinet continues to encourage its customers to leverage FortiOS best practice resources, including guidance for system hardening, as well as features that help customers automate the upgrade process, such as Uninterrupted Cluster Upgrade, Sub-second failover, Fail-over protection, Auto-restore configs / Configuration revisions, and Automatic / Scheduled patch upgrades.
