Recently, a significant cybersecurity threat has emerged, affecting over 16,000 Fortinet devices worldwide. These devices have been compromised with a symlink backdoor, granting attackers read-only access to sensitive files on previously breached systems. This alarming situation highlights the ongoing risks associated with cyberattacks and the importance of robust security measures.

Details of the Compromise

The Shadowserver Foundation, a threat monitoring organization, initially reported that 14,000 Fortinet devices were affected. However, the number has now increased to 16,620 devices. This escalation underscores the widespread nature of the threat and the need for immediate action.

Mechanism of the Attack

Fortinet recently alerted its customers about a new persistence mechanism used by attackers to maintain access to the root filesystem of compromised FortiGate devices. This method does not exploit new vulnerabilities but leverages zero-day attacks that began in 2023 and are expected to continue into 2024.

  • Symbolic Links: Attackers created symbolic links in the language files folder, which are publicly accessible on devices with SSL-VPN enabled.
  • Persistent Access: This technique allows attackers to retain read-only access to the root filesystem, even after vulnerabilities are patched.

Fortinet's Response and Recommendations

In response to this threat, Fortinet has taken several steps to mitigate the impact and protect its customers. The company has released an updated AV/IPS signature to detect and remove the malicious symbolic link from compromised devices. Additionally, the latest firmware version has been enhanced to prevent unknown files and folders from being served by the built-in webserver.

Actionable Steps for Users

Fortinet has begun notifying affected customers via email, urging them to take immediate action. If a device is detected as compromised, it is crucial to reset all credentials and follow the recommended security measures provided by Fortinet.

  • Update Firmware: Ensure that all devices are running the latest firmware version to benefit from enhanced security features.
  • Reset Credentials: Change all passwords and credentials to prevent unauthorized access.
The link has been copied!