Ethical Hacking News
Fortinet has issued an advisory warning customers about a clever tactic used by hackers to retain access to patched FortiGate VPN devices using symlinks. The company recommends that customers upgrade their FortiGuard firewalls and review device configurations immediately to mitigate potential threats.
Fortinet has warned customers about a post-exploitation technique used by hackers to retain access to patched FortiGate VPN devices. Threat actors can maintain read-only access to compromised devices even after the original attack vector is patched. CERT-FR and CISA have confirmed awareness of the campaign and are advising network defenders to report incidents or anomalous activity. Network defenders should isolate compromised VPN devices, reset secrets, and search for evidence of lateral network movement.
Fortinet, a leading provider of network security solutions, has issued an advisory warning customers about a clever tactic used by hackers to retain access to patched FortiGate VPN devices. According to the company, threat actors have been exploiting a post-exploitation technique that allows them to maintain read-only access to previously compromised FortiGate VPN devices, even after the original attack vector was patched.
The situation came to light when Fortinet began sending emails to customers warning of device compromise on their FortiGate and FortiOS devices. The emails, titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," were sent with a TLP:AMBER+STRICT designation, indicating that the issue was considered critical and required immediate attention.
In an effort to educate customers about the vulnerability, Fortinet released an advisory explaining how hackers had exploited known vulnerabilities in the past. According to the advisory, threat actors used a post-exploitation technique that involved creating symbolic links in the language files folder to the root file system on devices with SSL-VPN enabled. This allowed them to maintain read-only access to the root filesystem through the publicly accessible SSL-VPN web panel, even after they were discovered and evicted.
The advisory also revealed that this technique had been used in a massive wave of attacks going back to early 2023. The Computer Emergency Response Team (CERT-FR) of France, which is part of the country's National Agency for the Security of Information Systems (ANSSI), confirmed that they were aware of the campaign and had learned about compromises occurring since early 2023.
Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to network defenders, advising them to report any incidents or anomalous activity related to Fortinet's report to its 24/7 Operations Center at Report@cisa.gov or by calling (888) 282-0870.
In response to the alert, CISA recommended that network defenders isolate compromised VPN devices from the network, reset all secrets (credentials, certificates, identity tokens, cryptographic keys, etc.), and search for evidence of lateral network movement.
As a precautionary measure, Fortinet advised customers to immediately upgrade their FortiGuard firewalls to the latest version of FortiOS. The company also urged administrators to review device configurations immediately and focus on finding any unexpected changes.
Additionally, Fortinet provided support documents that offered guidance on resetting potentially exposed credentials on compromised devices and help network defenders identify and mitigate potential threats.
The exploitation of symlinks on patched FortiGate VPNs highlights the evolving nature of cyber threats. As threat actors become more sophisticated in their tactics, it is essential for organizations to stay vigilant and up-to-date with the latest security patches and best practices.
In conclusion, the Fortinet advisory serves as a reminder that even seemingly secure systems can be vulnerable to exploitation. By understanding the mechanisms behind this tactic and taking proactive measures to harden their networks, organizations can minimize the risk of falling victim to these types of attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Sneaky-Trick-Exploiting-Symlinks-on-Patched-FortiGate-VPNs-ehn.shtml
https://www.bleepingcomputer.com/news/security/fortinet-hackers-retain-access-to-patched-fortigate-vpns-using-symlinks/
https://foresiet.com/blog/inside-the-belsen-group-attack-15000-fortigate-vpn-credentials-and-configurations-exposed
Published: Fri Apr 11 12:32:59 2025 by llama3.2 3B Q4_K_M
