Network Firewalls, Network Access Control
,
Security Operations
Symbolic Links Planted by Attackers Survived Patching, Provide Read-Only Access
Attackers have been using a technique to maintain remote access to hacked Fortinet devices even after they’ve been patched.
See Also: Get smart with networks and security
The vendor said Thursday at least one set of attackers planted symbolic links on hacked devices that allow them to later exploit a trio of known vulnerabilities and maintain remote, read-only access to its FortiGate next-generation firewalls. Symbolic links, aka symlinks, are supported by most operating systems and involve a text string that the OS automatically interprets as a path to a file or directory, which it then follows.
“A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN,” said Carl Windsor, CISO of Fortinet, in a blog post. “This modification took place in the user filesystem and avoided detection. Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.”
The Shadowserver Foundation said that as of Sunday, its internet scans have identified at least 1,700 compromised devices in the United States, 787 in Taiwan, 773 in China, 719 in Japan and 512 in France, among many other countries. Its count of affected devices has been increasing in recent days.
Attackers’ ability to maintain persistence even after an underlying vulnerability gets patched is part of a worrying trend, said Benjamin Harris, CEO of attack surface management firm watchTowr. “We have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade and factory reset processes organizations have come to rely on to mitigate these situations to maintain persistence and access to compromised organizations,” he said.
Hackers, especially nation-state threat actors, have homed in on network edge devices, including Fortinet appliances, as an access point into corporate networks. Edge devices, even those designed for network security, are themselves generally opaque to defenders, suffer from slow patch rates and have been shown to harbor remarkable numbers of zero day flaws (see: Surge in Attacks Against Edge and Infrastructure Devices).
The vulnerabilities being exploited by attackers via malicious symbolic links have been:
- CVE-2022-42475: Heap-based buffer overflow vulnerabilities in FortiOS SSL-VPN;
- CVE-2023-27997: Heap-based buffer overflow vulnerability in in FortiOS and FortiProxy SSL-VPN;
- CVE-2024-21762: Out-of-bounds write vulnerability in FortiOS and FortiProxy.
This attack vector “could enable read-only access to files on the device’s file system, which may include configurations,” said the U.S. Cybersecurity and Infrastructure Security Agency in a Friday alert.
For this type of attack to be successful, an administrator must have enabled SSL-VPN on a device.
The vendor said it’s directly notified and has been working with all customers that its telemetry has identified as having been targeted.
Latest Updates Remove Malicious Symlinks
For all customers – already targeted or otherwise – Fortinet recommends they immediately upgrade FortiOS on their devices to versions 7.6.2, 7.4.7, 7.2.11, 7.0.17 or 6.4.16, which block the attack vector. Specific improvements include flagging the malicious link for removal by the built-in antivirus and intrusion prevention system engine, removing the malicious symbolic link if already present, and updating the SSL-VPN user interface to prevent malicious symbolic links from being served.
“As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled,” CISA said.
Security experts have emphasized that even fully patched devices may have been compromised. “The observed post-exploitation activity relates to either unpatched devices or those that were compromised prior to patching,” said a Friday security alert from the Australian Signals Directorate.
For organizations that have already been targeted, Fortinet recommends they review all device configurations, treat them as being “potentially compromised,” and follow its recovery advice, which includes potentially resetting credentials.
Even though attackers were able to exploit fully patched devices, “it is critically important for all organizations to keep their devices up to date,” Fortinet’s Windsor said. “A variety of government organizations have reported state-sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities” (see: Edge Devices Face Surge in Mass Brute-Force Password Attacks).
Rapid patching remains essential. Research published by FortiGuard Labs that reviewed attacks from the second half of 2023 found that on average, attackers begin targeting known vulnerabilities on average 4.76 days after they are publicly disclosed. Some individual attackers move much more quickly.
Fortinet said it’s also made a slew of other updates to the latest generation of FortiOS aimed at hardening the operating system, adding virtual patching to help customers block attacks until they install a patch, adding auto-update capability as well as the ability to validate firmware in hardware, via the BIOS.