Fortinet has issued an advisory alerting users about a new post-exploitation technique being used by threat actors to maintain persistent read-only access to previously compromised FortiGate VPN devices, even after the original attack vector was patched.
The company said that the technique, which exploits older known vulnerabilities (CVE-2024-21762, CVE-2023-27997, and CVE-2022-42475), allows attackers to maintain access to sensitive parts of a compromised device’s file system, despite system updates that address the original flaws.
After breaching the device using one of these older vulnerabilities, attackers would create a symbolic link within the language files folder of devices with SSL-VPN enabled that connects the user filesystem to the root filesystem. This modification allows for read-only access to the device's file system.
"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN," Fortinet’s advisory said. "This modification took place in the user filesystem and avoided detection. Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations."
The new exploitation technique has been observed in widespread attacks, with France’s Computer Emergency Response Team (CERT-FR) confirming that numerous devices have been compromised using this method since early 2023.
Public scans by the Shadowserver Foundation revealed around 14,000 infected Fortinet devices exposed on the internet. The majority of the devices are located in the US (1,500), followed by Japan (600), Taiwan (600), China (500), and France (500). The attack has also spread to countries including Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia, with over 300 compromised FortiOS devices detected globally.
Fortinet urges customers to take immediate action to safeguard their devices. The company recommends that users upgrade their FortiGuard firewalls to the latest versions of FortiOS, specifically versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16, to ensure that malicious files used for persistence are removed.
Additionally, CERT-FR advises users to isolate compromised VPN devices from their networks, reset all credentials (including certificates, identity tokens, and cryptographic keys), and search for evidence of lateral movement within their networks.
