CyberSecurity news
FlagThis
@www.bleepingcomputer.com
//
Fortinet has issued critical fixes following the discovery of a new method employed by cyber attackers to maintain access to FortiGate devices, even after patches were applied. The attackers are exploiting vulnerabilities such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, creating a symlink that connects the user filesystem to the root filesystem within a folder used for SSL-VPN language files. This allows attackers to quietly read configuration files without triggering standard detection mechanisms. If SSL-VPN has never been enabled on a device, it is not affected by this vulnerability.
Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps.
The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures.
ImgSrc: www.bleepstatic
References :
Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps.
The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures.
ImgSrc: www.bleepstatic
Share:
References :
- Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
- gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
- systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
- gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
- dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
- thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
- www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
- cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
- cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
- hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
- gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
- Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
- Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
- gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
- securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
- OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
- cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
- cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
- Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
- securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
- fortiguard.fortinet.com: FG-IR-24-435
Classification:
- HashTags: #Fortinet #Cybersecurity #Vulnerability
- Company: Fortinet
- Target: Networks
- Attacker: China
- Product: FortiGate
- Feature: Symlink
- Malware: Symlink Backdoor
- Type: Vulnerability
- Severity: Major