Blog

Analysis of Threat Actor Activity
By
As a driving force in the evolution of cybersecurity, Fortinet has long been at the forefront of the industry in embracing and advocating for cybersecurity best practices. We are committed to being a role model for ethical product development and vulnerability disclosure, which includes embracing responsible transparency, holding ourselves to robust disclosure practices, and adhering to international and industry-recognized standards. Fortinet continues to collaborate with the industry to develop and implement stronger practices and standards for the benefit of all our customers, including through ongoing threat research, delivering automatic upgrade features, cybersecurity training and education, and responsible and proactive communications about best practices and cyber hygiene.
Recent incidents continue to bring this into focus with active exploitations of known vulnerabilities as investigations by Fortinet have discovered a post exploitation technique used by a threat actor.
During this investigation, a threat actor was observed using known vulnerabilities (e.g. FG-IR-22-398, FG-IR-23-097, FG-IR-24-015) to gain access to Fortinet devices. The targeting of known, unpatched vulnerabilities by a threat actor is not new and has been previously examined; this specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down. Immediately upon discovery, we activated our PSIRT response efforts, developed necessary mitigations and have communicated with affected customers. We continue to work directly with those customers to ensure they have taken steps to remediate the issue.
Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency and commits to sharing information with that goal in mind. The following describes the situation.
Description
A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN. This modification took place in the user filesystem and avoided detection. Therefore, even if the customer device was updated with FortiOS versions that addressed the original vulnerabilities, this symbolic link may have been left behind, allowing the threat actor to maintain read-only access to files on the device’s file system, which may include configurations.
Notably, if the customer has never had SSL-VPN enabled, then the customer is not impacted by this issue.
As part of our investigation, Fortinet performed scans to identify impacted devices using internal telemetry and in collaboration with third party organizations. The data indicates that this threat actor activity was not targeted to a specific region or industry.
Mitigation
Upon discovering the new technique used by the threat actor described above, Fortinet took steps to mitigate this issue and balance varying levels of cyber hygiene and challenges that the customer may face. Fortinet mitigation efforts included:
- An AV/IPS signature was created to detect and clean this symbolic link from impacted devices.
- Changes were made to the latest releases to detect and remove the symbolic link and ensure the SSL-VPN only serves the expected files.
- Proactive communications urging customers to update their devices, carefully balancing our communications to protect against further inadvertent compromise while delivering on our commitment to responsible transparency.
Specific to the findings detailed in this blog, we have released multiple FortiOS mitigations, including:
- FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link.
- FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.
We have communicated directly with customers identified as impacted by this issue based on the available telemetry and are recommending that they take the following steps:
- Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.
- Review the configuration of all devices.
- Treat all configuration as potentially compromised and follow the recommended steps below to recover:
Do I need to upgrade?
It is critically important for all organizations to keep their devices up to date. A variety of government organizations have reported state sponsored threat actors are targeting all vendors, including known but unpatched vulnerabilities. In general, the best defense against any known vulnerability is following good cyber hygiene practices, including upgrading.
The 2H 2023 Global Threat Landscape Report from FortiGuard Labs research found that threat actors are taking advantage of a known vulnerability on average 4.76 days after a new vulnerability was publicly disclosed. In this climate, both vendors and customers have a role to play. Vendors must introduce robust security scrutiny at all stages of the product development life cycle and dedicate themselves to responsible transparency in their vulnerability disclosures. With more than 40,000 vulnerabilities recorded in 2024 based on data provided by NIST, it is also critical that customers maintain a strict patching regimen to reduce the risk of exploitation.
With regard to this incident, we have communicated directly with identified impacted customers who need to take action based on available telemetry. However, we recommend all customers to upgrade to one of these recommended versions regardless.
Fortinet has also incorporated many changes to further enhance security features that address key customer challenges and are available for customers to take advantage of once upgraded to the latest release, including but not limited to:
- Additional compile-time hardening to raise the barrier for attack on products.
- Virtual patching to allow mitigation of issues prior to patching.
- Implementation of firmware integrity validation in hardware (BIOS).
- Introduction of Integrity Measurement Architecture (IMA) / Filesystem Integrity.
- Auto-updates to seamlessly patch devices against vulnerabilities without administrator intervention.
Fortinet continues to encourage customers to leverage FortiOS best practice resources, including guidance for system hardening, as well as features that help customers automate the upgrade process, such as Uninterrupted Cluster Upgrade, Sub-second failover, Fail-over protection, Auto-restore configs / Configuration revisions, and Automatic / Scheduled patch upgrades.