(TLP:CLEAR) WaterISAC Notification – Post-Exploitation Technique Used to Maintain Read-Only Access to Fortinet SSL-VPN

Members using Fortinet FortiGate / FortiOS with SSL-VPN enabled are encouraged to review this notification and address accordingly.

What you need to know: Fortinet warns that threat actors are using a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.

WaterISAC is providing this information for situational awareness and is not aware of any related incidents impacting the water sector. Still, WaterISAC encourages members using Fortinet products to review the advisory and upgrade affected FortiOS and FortiGate products.

Yesterday, Fortinet announced that a threat actor was observed exploiting previously known vulnerabilities (including, but not limited to CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762) to gain access to vulnerable FortiOS and FortiGate VPN devices. Successful exploitation of the vulnerabilities may allow threat actors to access configuration and other sensitive files, including credentials, from compromised devices.

Description: According to Fortinet, when the threat actors previously breached servers using older vulnerabilities, they created symbolic links (symlink) in the language files folder to the root file system on devices with SSL-VPN enabled. This symlink allows them to maintain read-only access to the root filesystem through the publicly accessible SSL-VPN web panel even after they’re discovered and evicted from the system.

It is important to note that this specific exploitation method is contingent on the SSL-VPN feature having been enabled on the vulnerable device at some point. Devices that have never had SSL-VPN enabled are reported to not be susceptible to this particular issue.

Mitigation Recommendations:

WaterISAC encourages system administrators to review Fortinet’s advisory and follow recommended guidance:

• Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
• Review the configuration of all in-scope devices.
• Reset potentially exposed credentials.
• As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.
• Treat all configuration as potentially compromised and follow the recommended steps below to recover:
  • https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694

Additional Reading:

• Fortinet – Analysis of Threat Actor Activity
• Bleeping Computer – Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks

Incident Reporting:

WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.