CyberSecurity news
FlagThis - #fortinet
|
Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection. Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation. Recommended read:
References :
Krista Lyons@OpenVPN Blog
//
References:
Blog
, OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.
Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates. Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce. Recommended read:
References :
@hackread.com
//
References:
hackread.com
, hunt.io
,
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.
Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink. Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging. Recommended read:
References :
@www.bleepingcomputer.com
//
Fortinet has issued critical fixes following the discovery of a new method employed by cyber attackers to maintain access to FortiGate devices, even after patches were applied. The attackers are exploiting vulnerabilities such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, creating a symlink that connects the user filesystem to the root filesystem within a folder used for SSL-VPN language files. This allows attackers to quietly read configuration files without triggering standard detection mechanisms. If SSL-VPN has never been enabled on a device, it is not affected by this vulnerability.
Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps. The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures. Recommended read:
References :
@www.bleepingcomputer.com
//
Over 16,000 Fortinet devices have been compromised due to a novel symlink backdoor, allowing attackers to maintain read-only access to sensitive files. This was reported by The Shadowserver Foundation. The attackers are exploiting known vulnerabilities in FortiGate devices, specifically targeting the SSL-VPN language file directory. By creating a symbolic link between the user filesystem and the root filesystem, attackers can bypass security measures and access critical files even after patches are applied.
Researchers observed that threat actors are leveraging a new method to exploit previously patched vulnerabilities in Fortinet's FortiOS, specifically targeting FortiGate VPN appliances. The original flaw, CVE-2023-27997, had a fix issued, but threat actors can still gain access by manipulating symbolic links during the device's boot process. This enables threat actors with prior access to maintain control over the device, even after firmware updates. The issue stems from how FortiOS handles file permissions and symlinks when restarting, allowing malicious files to persist and re-enable vulnerabilities that were supposedly fixed. Fortinet has responded by releasing several updates and new security measures to block further attacks. These measures include launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to detect and remove the symbolic link automatically. Multiple updates have been issued across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Organizations are urged to upgrade to the latest secure versions to mitigate the risk. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Fortinet has issued a critical security advisory addressing a high-severity vulnerability, CVE-2024-48887, affecting its FortiSwitch product line. The flaw, which scores a 9.3 on the CVSS scale, resides within the FortiSwitch GUI and presents an unverified password change vulnerability. A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted request, allowing them to modify administrator passwords without proper authorization. This could lead to complete system compromise and unauthorized access to sensitive network resources.
Fortinet has identified several affected FortiSwitch versions and strongly urges users to upgrade to the fixed versions immediately. The affected versions include FortiSwitch 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.10, and 6.4.0 through 6.4.14. Corresponding upgrade paths are available for each version, with specific target versions provided to remediate the vulnerability. The company credited Daniel Rozeboom of the FortiSwitch web UI development team for discovering and reporting the security flaw. As immediate mitigation steps, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and configuring trusted hosts to restrict network access to only authorized systems. These workarounds can help minimize the attack surface while users schedule and implement the necessary upgrades. While there is currently no evidence of active exploitation, given the severity and ease of exploitation, Fortinet emphasizes the importance of applying the patches as quickly as possible to prevent potential attacks. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks. Recommended read:
References :
@PCWorld
//
A new variant of the Snake Keylogger malware is actively targeting Windows users, with over 280 million infection attempts detected globally. Cybersecurity researchers have identified this version, also known as the 404 Keylogger, as AutoIt/Injector.GTY!tr. The primary targets include users in China, Turkey, Indonesia, Taiwan, and Spain, where the malware spreads through phishing emails containing malicious attachments or links. The keylogger steals credentials from popular web browsers like Chrome, Edge, and Firefox by logging keystrokes, capturing screenshots, and monitoring the clipboard.
The stolen data, including sensitive information and credentials, is then exfiltrated to its command-and-control (C2) server through various methods, including SMTP email and Telegram bots. The malware utilizes AutoIt, a scripting language frequently used for Windows automation, to deliver and execute its malicious payload. By using AutoIt, the malware can create standalone executables that may bypass standard antivirus solutions. Once executed, the keylogger copies itself to the %Local_AppData%\supergroup folder, names itself ageless[.]exe, and sets its attributes to hidden and creates “ageless.vbs” in the %Startup% folder. Recommended read:
References :
|