14,000 Fortinet firewalls compromised: Attackers nestle in
More than 14,000 Fortinet firewalls are currently compromised by attackers. They anchor themselves in the system with symlinks.
(Image: asharkyu/Shutterstock.com)
Fortinet reports on a current variant with which attackers can infiltrate the manufacturer's firewalls and achieve persistence. Meanwhile, IT researchers have tracked down more than 14,000 compromised Fortinet firewalls worldwide.
In a blog post, Fortinet discusses that attackers have abused known vulnerabilities in the VPN component of Fortinet firewalls to gain access to the networks. The specific cases investigated involved vulnerabilities in FortiOS SSL VPN (CVE-2022-42475, CVSS 9.3, risk “critical”), FortiOS and FortiProxy SSL VPN (CVE-2023-27997, CVSS 9.2, risk “critical”) and in the sslvpnd of FortiOS and FortiProxy (CVE-2024-21762, CVSS 9.6, risk “critical”).
Fortinet compromise: persistence with symlinks
Such attacks are not uncommon. What was new for the Fortinet analysts was how the attackers infiltrated. On successfully attacked FortiGate devices, they created a symlink (symbolic link) between the user file system and the root file system in a folder for language files of the SSL VPN. The symlink was created in the user file system in an attempt to evade detection. Even after applying updates to close the exploited vulnerability, the symlink could remain and allow the attackers read access to the – file system including the – configuration. However, if the SSL VPN was never enabled, this attack is not possible, Fortinet explains.
Videos by heise
Fortinet has created a signature to remove these symlinks, and the SSL VPN software has also been adapted to filter them out. Fortinet has also informed customers who have been identified as affected. The update to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17 and 6.4.16 corrects the problem in a customized manner. IT managers should also check the configuration of the devices.
The Shadowserver Foundation has also reported thousands of currently compromised Fortinet devices on X. Most of the affected machines are in the USA (1,500), while Germany was 18th on the list last Friday with 233 compromised Fortinet devices. On Monday, around 14,600 Fortinet systems worldwide were compromised, according to the latest statistics from Shadowserver.
(dmk)
