BleepingComputer reports that online Fortinet devices impacted by a symlink backdoor enabling read-only access to files of already patched instances were discovered by the Shadowserver Foundation to have increased from 14,000 to 16,620 on Wednesday.
Installation of the persistence mechanism on breached but remediated FortiGate devices was reported by Fortinet to have been facilitated by the exploitation of FortiOS zero-day vulnerabilities since 2023. With the symbolic link between the user file system and root file system in a folder with the SSL-VPN's language files remaining undetected following the application of updated FortiOS versions, attackers have been able to continuously access device configurations, credentials, and other file system data, said Fortinet. Aside from alerting organizations regarding symlink backdoor-compromised FortiGate devices, Fortinet has also issued a new AV/IPS signature that would facilitate symlink identification and removal from breached devices. Organizations have also been urged to reset all credentials to mitigate risk.
Installation of the persistence mechanism on breached but remediated FortiGate devices was reported by Fortinet to have been facilitated by the exploitation of FortiOS zero-day vulnerabilities since 2023. With the symbolic link between the user file system and root file system in a folder with the SSL-VPN's language files remaining undetected following the application of updated FortiOS versions, attackers have been able to continuously access device configurations, credentials, and other file system data, said Fortinet. Aside from alerting organizations regarding symlink backdoor-compromised FortiGate devices, Fortinet has also issued a new AV/IPS signature that would facilitate symlink identification and removal from breached devices. Organizations have also been urged to reset all credentials to mitigate risk.
