Over 16,000 internet-exposed Fortinet gadgets have been detected as compromised with a brand new symlink backdoor that permits read-only entry to delicate recordsdata on beforehand compromised gadgets.
This publicity is being reported by menace monitoring platform The Shadowserver Basis, which initially reported 14,000 gadgets had been uncovered.
At this time, Shadowserver’s Piotr Kijewski instructed BleepingComputer that the cybersecurity group now detects 16,620 gadgets impacted by the lately revealed persistence mechanism.
Final week, Fortinet warned prospects that they’d found a brand new persistence mechanism utilized by a menace actor to retain read-only distant entry to recordsdata within the root filesystem of beforehand compromised however now patched FortiGate gadgets.
Fortinet mentioned that this was not via the exploitation of latest vulnerabilities however is as an alternative linked to assaults beginning in 2023 and persevering with into 2024, the place a menace actor utilized zero days to compromise FortiOS gadgets.
As soon as they gained entry to the gadgets, they created symbolic hyperlinks within the language recordsdata folder to the foundation file system on gadgets with SSL-VPN enabled. Because the language recordsdata are publicly accessible on FortiGate gadgets with SSL-VPN enabled, the menace actor might browse to that folder and achieve persistent learn entry to the foundation file system, even after the preliminary vulnerabilities had been patched.
“A menace actor used a recognized vulnerability to implement read-only entry to weak FortiGate gadgets. This was achieved through making a symbolic hyperlink connecting the person filesystem and the foundation filesystem in a folder used to serve language recordsdata for the SSL-VPN. This modification came about within the person filesystem and prevented detection,” Fortinet mentioned.
“Subsequently, even when the shopper gadget was up to date with FortiOS variations that addressed the unique vulnerabilities, this symbolic hyperlink might have been left behind, permitting the menace actor to take care of read-only entry to recordsdata on the gadget’s file system, which can embrace configurations.”
This month, Fortinet started notifying prospects privately by e mail about FortiGate gadgets detected by FortiGuard as being compromised with this symlink backdoor.
Supply: BleepingComputer
Fortinet has launched an up to date AV/IPS signature that may detect and take away this malicious symbolic hyperlink from compromised gadgets. The most recent model of the firmware has additionally been up to date to detect and take away the hyperlink. The replace additionally prevents unknown recordsdata and folders from being served by the built-in webserver.
Lastly, if a tool was detected as compromised, it’s doable that the menace actors had entry to the newest configuration recordsdata, together with credentials.
Subsequently, all credentials needs to be reset, and admins ought to observe the opposite steps in this information.
