Full Report
Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched. [...]
Analysis Summary
# Incident Report: Persistent Access via FortiGate Symlink Abuse
## Executive Summary
Threat actors exploited vulnerabilities in FortiGate VPNs, and even after patching those initial vulnerabilities, they maintained covert, read-only access to the file system using newly created symbolic links (symlinks). This persistence mechanism allowed hackers to retain unauthorized access to configurations, impacting numerous organizations since early 2023, prompting emergency patching and mandatory post-incident forensic analysis.
## Incident Details
- Discovery Date: Early April (Implied by recent advisories and emails sent "earlier this week")
- Incident Date: Ongoing since early 2023 (based on French CERT findings)
- Affected Organization: Users of vulnerable FortiGate VPN devices (Specific organizations not named, multiple compromised in France and globally)
- Sector: Various (Any organization using affected Fortinet products)
- Geography: Global, with notable massive campaigns reported in France.
## Timeline of Events
### Initial Access
- Date/Time: Prior to patching, starting as early as early 2023.
- Vector: Exploitation of known vulnerabilities in FortiGate VPN firmware.
- Details: Attackers gained initial unauthorized access through flaws later addressed by Fortinet patches.
### Lateral Movement
- Details: The primary immediate threat outlined is *persistence* achieved through file system manipulation rather than immediate widespread lateral movement *after* patching, though CERT-FR recommended searching for evidence of lateral network movement.
### Data Exfiltration/Impact
- Details: Attackers maintained read-only access to the device's file system, likely including sensitive configuration files, which could lead to subsequent data disclosure or further compromise.
### Detection & Response
- **Detection:** Incident response operations conducted by CERT-FR uncovered the persistence technique, and Fortinet alerted customers via email regarding the symlink issue. CISA also issued an advisory.
- **Response actions taken:** Fortinet advised customers to immediately upgrade to specified latest FortiOS versions to remove malicious post-exploitation files.
## Attack Methodology
- Initial Access: Exploitation of known, patched FortiGate VPN vulnerabilities.
- Persistence: Creation of symbolic links (symlinks) within the file system that bypassed the patching process, ensuring read-only access to files.
- Privilege Escalation: Not explicitly detailed, but required sufficient privileges to write files/symlinks to the file system post-exploitation.
- Defense Evasion: The use of symlinks allowed for evasion of basic cleanup/patching routines intended to remove initial access tools.
- Credential Access: Not explicitly detailed, but access to configuration files suggests credentials/secrets may have been compromised or targeted.
- Discovery: Attackers likely reviewed the filesystem post-exploitation to confirm access persistence via symlinks.
- Lateral Movement: Response actions suggest the potential for lateral movement exists, though the primary focus was on persistence persistence mechanisms.
- Collection: Access to device configurations implies the collection or intent to collect sensitive system settings.
- Exfiltration: Not detailed, but implied capability through persistent access.
- Impact: Continued unauthorized access and potential exposure of device configurations.
## Impact Assessment
- Financial: Not disclosed, but significant costs associated with mandatory urgent patching, forensic investigation, and credential resets across affected environments.
- Data Breach: Configuration data, potentially including system secrets and credentials, was accessible by the threat actors via read-only access.
- Operational: Required immediate administrative action (upgrading firmware, reviewing configurations) to secure devices.
- Reputational: Negative impact on trust in the patching process if persistence mechanisms are not fully remediated by standard updates.
## Indicators of Compromise
- **Network indicators:** (None provided, standard practice for this type of report would involve scanning for newly created symlinks or specific command-and-control traffic post-patching, which is not detailed here).
- **File indicators:** Malicious files used for persistence, which are intended to be removed via the recommended firmware updates.
- **Behavioral indicators:** The presence of unexpected symbolic links pointing to critical configuration files on the FortiGate device file system.
## Response Actions
- **Containment:** Fortinet recommended isolating compromised VPN devices from the network.
- **Eradication:** Immediate upgrade of FortiGate firewalls to specified patched versions (e.g., 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) to remove malicious persistence files.
- **Recovery:** Resetting all secrets, including credentials, certificates, identity tokens, and cryptographic keys on potentially exposed devices. Reviewing device configurations for unexpected changes.
## Lessons Learned
- Patches addressing initial entry vectors may not fully remove post-exploitation artifacts, leading to persistent access via unusual methods (like symlinks).
- Incident response and forensics must specifically look for file system manipulation techniques, especially device hardening/patching bypass methods.
- The lifespan of an exploited vulnerability can extend far beyond the initial patch release if sophisticated persistence is achieved.
## Recommendations
- Immediately apply the latest security patches for FortiOS (versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 or newer).
- Conduct thorough forensic sweeps specifically looking for unexpected file system changes, particularly symbolic links (`symlinks`) on critical system directories of network enforcement devices.
- Isolate suspected devices during deep forensic investigation and perform a comprehensive reset of all associated secrets and credentials.
- Report any anomalous activity related to Fortinet devices to relevant authorities (e.g., CISA's 24/7 Operations Center).