Over 16,000 internet-connected Fortinet devices have been identified as having a new symlink backdoor that permits read-only access to sensitive data on previously compromised systems.
The Shadowserver Foundation, a threat monitoring platform, has stated that 14,000 machines were exposed. Earlier this week, Shadowserver's Piotr Kijewski told a local media source that the cybersecurity firm now recognises 16,620 devices affected by the newly discovered persistence method.
Last week, Fortinet notified customers that they had found a new persistence mechanism employed by a threat actor to maintain read-only remote access to files in the root filesystem of previously hacked but now patched FortiGate devices.
Fortinet stated that this was not due to the exploitation of new vulnerabilities, but rather to attacks beginning in 2023 and continuing into 2024, in which a threat actor used zero days to compromise FortiOS devices.
After gaining access to the devices, they made symbolic connections to the root file system on SSL-VPN-enabled devices in the language files folder. Even after the initial vulnerabilities were fixed, the threat actor could still access the root file system by browsing to the language files, which are publically available on FortiGate devices with SSL-VPN enabled.
"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet stated.
"Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations.”
Earlier this month, Fortinet began discreetly notifying customers via email about FortiGate devices that FortiGuard discovered as being infected with this symlink backdoor.
In order to identify and eliminate this malicious symbolic link from compromised devices, Fortinet has released an improved AV/IPS signature.
Additionally, the firmware has been updated to the most recent version in order to detect and remove the link.
The upgrade also stops the integrated web server from serving unrecognised files and folders. Finally, if a device was identified as hacked, it is probable that the threat actors had access to the latest configuration files, including credentials.