Fortinet has shown that the threat subjects found a way to maintain access only to read to vulnerable devices Fortigate even after the initial access vector was used to violate devices.
Alike Cve-2022-42475. Cve-2023-2797and Cve-2024-21762.
“The actor threats used a well -known vulnerability to realize only reading to vulnerable devices Fortigate”, network security company – Note In an advisory order published on Thursday. “This has been achieved by creating a symbolic link that connects the user’s file system, and the root file system in a folder used to serve language files for SSL-VPN.”
Fortinet said the modifications occurred in the user’s file system and managed to avoid detection, causing a symbolic link (aka Symlink) left even after the holes were connected.
This, in turn, allowed the subject to support the threat only to read to the files in the device file system, including configurations. However, customers who have never included SSL-VPN do not affect the question.
It is unclear who is behind the activity, but Fortinet said his investigation showed that it was not aimed at any particular region or industry. It also said that it directly reported to customers who had suffered from this issue.
As a further softening, a series of software updates again occurred to prevent similar issues – was laid –
- Fortios 7.4, 7.2, 7.0, 6.4 – Simlink was labeled as malicious, so it is automatically removed by an antiviral engine
- Fortios 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16 – Simlink was removed, and UI SSL -VPN was changed to prevent the supply of such malicious symbolic links
Customers are advised to update their instances to the Fortios 7.6.2 versions, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16, check your device configurations and consider all configurations as potentially compromised and executed Appropriate recovery steps.
Agency for cybersecurity and US infrastructure (CISA) has removed Own consulting, calling users to reset the exposed credentials and consider the possibility of disabling SSL-VPN functionality until the patches may be applied. France’s Computer Emergency Group (CERT-FR), in a similar newsletter, – Note This knows about compromises concerning the whole road before the beginning of 2023.
In a statement shared with Hacker News, Watchtowr CEO Benjamin Harris said the incident is concerned for two important reasons.
“First, in wild exploitation it becomes much faster than organizations can pay,” Harris said. “More importantly, the attackers defiantly and deeply realize this fact.”
“Secondly, and more horrifying, we have seen many times that the attackers place opportunities and background after rapid exploitation aimed at the experience of correction, upgrade and jumped processes that are calculated for softening these situations to maintain perseverance and access to violated organizations.”
