Older Fortinet vulnerabilities under attack, company issues alert
In a recent development, a new technique has been uncovered by cybersecurity experts that allows attackers to maintain read-only access on patched FortiGate devices. The technique, which involves creating a symbolic link between user file systems and root file systems, has been observed being used by threat actors to read files and data on patched Fortinet devices.
Fortinet's Chief Information Security Officer, Carl Windsor, has been investigating the exploitation of older CVEs, all of which have been previously patched by Fortinet. To address this new technique, Fortinet has released mitigations in FortiOS versions 7.4, 7.2, 7.0, and 6.4. The exploitation activity, which does not seem to be focused on a specific region or industry, has prompted the Cybersecurity and Infrastructure Security Agency to issue a security alert.
Organizations can take several steps to mitigate this threat. Firstly, it is crucial to ensure that FortiGate devices are updated to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16. These updates remove malicious symlinks and prevent future SSL-VPN-based exploits. If SSL-VPN functionality is not required, consider disabling it to reduce the attack surface for this specific vulnerability.
Regular monitoring of system logs and configurations is also essential for detecting any signs of unauthorized access or changes. This includes checking for unusual symlinks or changes in system files. Securing configuration files, especially those related to SSL-VPN services, is also crucial to prevent the persistence of malicious symlinks.
Implementing robust network segmentation can limit the spread of potential attacks by isolating critical systems and networks. This helps prevent lateral movement. Additionally, intrusion detection systems (IDS) can help detect some unauthorized activities, although they may not catch all exploit attempts.
In addition to these measures, it is recommended to ensure that FortiGate devices only allow encrypted administrative access protocols like HTTPS. Disable HTTP and Telnet if they are enabled. Using TLS 1.3 for administrator access can also prevent man-in-the-middle attacks. Regular patching of FortiGate devices with the latest security patches is also essential to address known vulnerabilities.
Fortinet urges customers to upgrade all devices to the specified versions to remove existing symbolic links and prevent future malicious symbolic links. The blog post detailing this exploitation activity was published by Fortinet on a Thursday.
The exploitation of these vulnerabilities is of concern due to the shift in focus by both cybercriminals and nation-state threat groups towards edge devices as initial access vectors. The technique used to exploit these vulnerabilities involves a folder that serves language files for SSL-VPNs. FortiGate devices have been heavily targeted by a range of attackers in recent years.
By following these steps and maintaining a proactive security posture, organizations can effectively mitigate and prevent such persistence techniques on FortiGate devices.
- Network security professionals must implement updates for FortiGate devices to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16, as these updates remove malicious symlinks and prevent future SSL-VPN-based exploits, a measure proposed to mitigate the recent cybersecurity threat discovered by experts.
- Fortinet's technology advises organizations to monitor system logs and configurations, especially for unusual symlinks or changes in system files, as regular monitoring can help detect any signs of unauthorized access or changes, aiding in strengthening general-news cybersecurity.
