Fortinet has disclosed that attackers have managed to maintain read-only access to vulnerable FortiGate devices even after patching the initial breach vector.
The threat actors exploited known and patched security vulnerabilities such as CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.
“A threat actor utilized a known vulnerability to establish read-only access to vulnerable FortiGate devices,” stated the network security company in a recent advisory. “This was accomplished by creating a symbolic link between the user file system and the root file system within a folder used for SSL-VPN language files.”
Fortinet mentioned that despite fixing the initial access vulnerabilities, the attackers managed to evade detection by making modifications in the user file system, leaving behind a symbolic link that granted continued read-only access to the device’s file system.
The company recommended customers update to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, review device configurations, and take necessary recovery steps.
Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory advising users to reset exposed credentials and consider disabling SSL-VPN functionality until patches are applied.
WatchTowr CEO Benjamin Harris expressed concerns over the incident, highlighting the rapid exploitation of vulnerabilities and the deployment of backdoors by attackers to maintain persistence and access to compromised organizations.
Harris also noted the identification of backdoor deployments across critical infrastructure organizations within the watchTowr client base.
