Fortinet Devices Still Compromised: A Persistent Threat to Cybersecurity

 

Fortinet Devices Still Compromised: A Persistent Threat to Cybersecurity

By Edi Rimkus


In a concerning revelation, over 14,000 Fortinet VPN devices remain compromised despite patches being applied to address previous vulnerabilities. This persistent threat highlights the evolving tactics of cybercriminals and the critical need for thorough post-patch audits and proactive cybersecurity measures.

The Issue at Hand

Fortinet devices, specifically those running FortiOS with SSL-VPN functionality, have been targeted by attackers exploiting vulnerabilities dating back as early as 2023. Even after patches were applied, cybercriminals managed to maintain access through a post-exploitation technique involving symbolic links (symlinks). These symlinks act as shortcuts, connecting the user filesystem to the root filesystem, allowing attackers to retain read-only access to sensitive files.

Key Vulnerabilities Exploited

The attackers leveraged several known vulnerabilities, including:

  • CVE-2022-42475

  • CVE-2023-27997

  • CVE-2024-21762

These flaws enabled unauthorized access to device configurations, credentials, and key material. Even after updates were applied, the symlink modifications persisted, evading detection and allowing attackers to maintain access.

Global Impact

The Shadowserver Foundation's scans revealed the widespread nature of this compromise:

  • 14,300 infected devices globally.

  • Countries most affected:

    • United States (1,500 devices)

    • Japan (600 devices)

    • Taiwan (600 devices)

    • China (500 devices)

    • France (500 devices)

Other countries, including Thailand, Turkey, Israel, Italy, Canada, India, Spain, Indonesia, and Malaysia, also reported hundreds of compromised devices.

Real-World Examples

  1. Persistent Access: Attackers used symlinks to maintain access to sensitive files, including device configurations and credentials, even after patches were applied.

  2. Wide-Scale Exploitation: CERT-FR reported a massive campaign involving numerous compromised devices in France, with incidents dating back to early 2023.

  3. Evading Detection: The symlink mechanism allowed attackers to avoid detection by traditional security measures, emphasizing the need for advanced monitoring tools.

Recommendations for Mitigation

Fortinet and cybersecurity agencies worldwide have issued advisories to address this persistent threat:

  1. Upgrade to Latest FortiOS Versions: Ensure devices are updated to versions that can detect and remove symlinks from the filesystem.

  2. Review Configurations: Treat all configurations as potentially compromised and reset exposed credentials.

  3. Disable SSL-VPN Functionality: If patching is not immediately possible, consider disabling SSL-VPN functionality to prevent exploitation.

  4. Conduct Post-Patch Audits: Regularly audit systems after applying patches to ensure no residual vulnerabilities remain.

  5. Implement Advanced Monitoring: Deploy tools capable of detecting unusual activity, such as symlink modifications or unauthorized access attempts.

A Broader Lesson in Cybersecurity

This incident underscores the importance of proactive cybersecurity measures. It’s not enough to rely solely on patches—organizations must adopt a defense-in-depth strategy, combining regular audits, advanced monitoring, and user awareness training to mitigate risks effectively.

Final Thoughts
The persistence of attackers in exploiting Fortinet devices serves as a stark reminder of the evolving nature of cyber threats. By staying vigilant and implementing robust defenses, organizations can better protect themselves against future attacks. Let’s work together to build a safer digital environment.

Comments

Post a Comment

Popular posts from this blog

Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers

Image
Hadooken: New Linux Malware Exploiting Oracle WebLogic Servers Introduction In the ever-evolving landscape of cybersecurity threats, a new player has emerged: Hadooken. This Linux malware specifically targets Oracle WebLogic servers, which are widely used for running critical applications in enterprises. Let’s dive into the details. What Is Hadooken? Attack Vector: Hadooken gains unauthorized access to WebLogic servers by exploiting weak passwords. Once inside, it remotely executes malicious code. Attack flow (Source – Aquasec) Payload Components: A shell script named “c” A Python script called “y” Cryptominer and DDoS Botnet Hadooken doesn’t stop at infiltration. It includes: A cryptominer: Hijacking server resources for cryptocurrency mining. The Tsunami malware: A DDoS botnet and backdoor, giving attackers full control. Persistence and Lateral Movement Hadooken ensures persistence by creating cron jobs. It can steal user credentials, allowing lateral movement within networks. But t...
Read more

Critical VMware HCX Vulnerability: What You Need to Know

Image
Critical VMware HCX Vulnerability: What You Need to Know (Image by  Shah Sheikh ) In a recent security advisory, VMware disclosed a critical vulnerability in its Hybrid Cloud Extension (HCX) platform. This vulnerability, identified as CVE-2024-38814, poses a significant threat to organizations using HCX for application mobility and workload migration across data centers and clouds. The Vulnerability The VMware HCX vulnerability is a form of SQL injection that allows authenticated users with non-administrator privileges to execute remote code on the HCX manager. With a CVSS score of 8.8, this high-severity vulnerability can be exploited by inserting malicious SQL queries into the HCX system, potentially granting attackers unauthorized access and control. Affected Versions VMware HCX 4.8.x VMware HCX 4.9.x VMware HCX 4.10.x Mitigation Steps To mitigate this vulnerability, VMware has released patches for the affected versions: HCX 4.8.3 HCX 4.9.2 HCX 4.10.1 Organizations using these v...
Read more

CVE-2024-8190: An OS Command Injection Vulnerability in Ivanti CSA: What You Need to Know

Image
Overview: CVE-2024-8190 is an OS command injection vulnerability found in Ivanti Cloud Services Appliance (CSA) versions 4.6 (before Patch 519) and earlier. The flaw allows a remote authenticated attacker with admin-level privileges to execute arbitrary code on the affected system. Attack Scenario: The attacker must first log into the CSA’s admin login page. While this initial login may seem like a hurdle, it’s not insurmountable in some cases. Dual-homed CSA configurations (where eth0 serves as an internal network) are less vulnerable, as recommended by Ivanti. However, not everyone follows these best practices. Users who accidentally misconfigure interfaces or have weak passwords are at risk. For instance, if an admin swaps the interfaces or configures only one interface, the CSA console could be exposed to the internet. Default login credentials (username: admin, password: admin) should be changed upon initial login. However, weak passwords and the lack of rate limiting for login at...
Read more