Over 16,000 internet-exposed Fortinet gadgets have been detected as compromised with a brand new symlink backdoor that permits read-only entry to delicate recordsdata on beforehand compromised gadgets.
This publicity is being reported by menace monitoring platform The Shadowserver Basis, which initially reported 14,000 gadgets had been uncovered.
At this time, Shadowserver’s Piotr Kijewski informed BleepingComputer that the cybersecurity group now detects 16,620 gadgets impacted by the not too long ago revealed persistence mechanism.
Final week, Fortinet warned clients that that they had found a brand new persistence mechanism utilized by a menace actor to retain read-only distant entry to recordsdata within the root filesystem of beforehand compromised however now patched FortiGate gadgets.
Fortinet mentioned that this was not by way of the exploitation of recent vulnerabilities however is as an alternative linked to assaults beginning in 2023 and persevering with into 2024, the place a menace actor utilized zero days to compromise FortiOS gadgets.
As soon as they gained entry to the gadgets, they created symbolic hyperlinks within the language recordsdata folder to the foundation file system on gadgets with SSL-VPN enabled. Because the language recordsdata are publicly accessible on FortiGate gadgets with SSL-VPN enabled, the menace actor might browse to that folder and acquire persistent learn entry to the foundation file system, even after the preliminary vulnerabilities had been patched.
“A menace actor used a recognized vulnerability to implement read-only entry to susceptible FortiGate gadgets. This was achieved through making a symbolic hyperlink connecting the person filesystem and the foundation filesystem in a folder used to serve language recordsdata for the SSL-VPN. This modification befell within the person filesystem and averted detection,” Fortinet mentioned.
“Subsequently, even when the shopper system was up to date with FortiOS variations that addressed the unique vulnerabilities, this symbolic hyperlink could have been left behind, permitting the menace actor to keep up read-only entry to recordsdata on the system’s file system, which can embrace configurations.”
This month, Fortinet started notifying clients privately by e mail about FortiGate gadgets detected by FortiGuard as being compromised with this symlink backdoor.
Supply: BleepingComputer
Fortinet has launched an up to date AV/IPS signature that can detect and take away this malicious symbolic hyperlink from compromised gadgets. The most recent model of the firmware has additionally been up to date to detect and take away the hyperlink. The replace additionally prevents unknown recordsdata and folders from being served by the built-in webserver.
Lastly, if a tool was detected as compromised, it’s potential that the menace actors had entry to the most recent configuration recordsdata, together with credentials.
Subsequently, all credentials needs to be reset, and admins ought to observe the opposite steps in this information.