logo
Home/News/News article/

Over 16,000 Fortinet devices compromised with symlink backdoor

Fortinet

Over 16,000 internet-exposed Fortinet devices have been detected as compromised with a new symlink backdoor that allows read-only access to sensitive files on previously compromised devices.

This exposure is being reported by threat monitoring platform The Shadowserver Foundation, which initially reported 14,000 devices were exposed.

Today, Shadowserver's Piotr Kijewski told BleepingComputer that the cybersecurity organization now detects 16,620 devices impacted by the recently revealed persistence mechanism.

Last week, Fortinet warned customers that they had discovered a new persistence mechanism used by a threat actor to retain read-only remote access to files in the root filesystem of previously compromised but now patched FortiGate devices.

Fortinet said that this was not through the exploitation of new vulnerabilities but is instead linked to attacks starting in 2023 and continuing into 2024, where a threat actor utilized zero days to compromise FortiOS devices.

Once they gained access to the devices, they created symbolic links in the language files folder to the root file system on devices with SSL-VPN enabled. As the language files are publicly accessible on FortiGate devices with SSL-VPN enabled, the threat actor could browse to that folder and gain persistent read access to the root file system, even after the initial vulnerabilities were patched.

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection," Fortinet said.

"Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device's file system, which may include configurations."

This month, Fortinet began notifying customers privately by email about FortiGate devices detected by FortiGuard as being compromised with this symlink backdoor.

Emails sent to owners of compromised devices
Emails sent to owners of compromised devicesSource: BleepingComputer

Fortinet has released an updated AV/IPS signature that will detect and remove this malicious symbolic link from compromised devices. The latest version of the firmware has also been updated to detect and remove the link. The update also prevents unknown files and folders from being served by the built-in webserver.

Finally, if a device was detected as compromised, it is possible that the threat actors had access to the latest configuration files, including credentials.

Therefore, all credentials should be reset, and admins should follow the other steps in this guide.

Free online web security scanner

Top News: