Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Hackers are actively exploiting a suite of known FortGate vulnerabilities as the ACSC releases its own advisory on the threat activity.
Cyber security firm Fortinet has released an advisory warning of threat actors taking advantage of known vulnerabilities in its FortiGate firewall platforms.
The activity is serious enough that both the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) have released advisories and critical alerts of their own.
While Fortinet points out that such exploitation is nothing new, in this specific instance, the company has observed a unique post-exploitation technique.
“The targeting of known, unpatched vulnerabilities by a threat actor is not new and has been previously examined; this specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down,” Fortinet said in a 10 April blog post.
“Immediately upon discovery, we activated our PSIRT response efforts, developed necessary mitigations and have communicated with affected customers. We continue to work directly with those customers to ensure they have taken steps to remediate the issue.”
This threat actor has been able to implement read-only access to FortiGate devices by creating a symbolic link between the user and root file systems. This was done in a specific folder that serves files for the SSL-VPN. This allowed the threat actor to avoid detection; the symbolic link also remained even if the original vulnerability had already been patched.
According to Fortinet, this activity is not limited to a specific industry or region.
The company has released multiple FortiOS mitigations, details of which can be found here.
Fortinet has been in touch with several impacted customers and has recommended the following steps:
In addition, all configurations should be treated as compromised. Refer to Fortinet’s advice here if recovery is necessary. Both CISA and the ACSC recommend following Fortinet’s advice as soon as possible.
“While this is an unfortunate saga for Fortinet, in a series of sagas, Fortinet is doing the right thing here with proactive and transparent communication – this should be commended. Worryingly, though, this builds on a concern we’ve seen across the industry for two important reasons,” Benjamin Harris, CEO of cyber security firm watchTowr, told Cyber Daily.
“First, in the wild exploitation is becoming significantly faster than organisations can patch. More importantly, attackers are demonstrably and deeply aware of this fact. Second, and more terrifying, we have seen, numerous times, attackers deploy capabilities and backdoors after rapid exploitation designed to survive the patching, upgrade, and factory reset processes organisations have come to rely on to mitigate these situations to maintain persistence and access to compromised organisations.
“This is straight-up terrifying. In high-profile situations, we may be entering a world where even updates, patching, and factory resets are insufficient to consider restoring appliance integrity.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
