Security researchers have discovered that over 16,500 Fortinet FortiGate firewall devices have been compromised by attackers using a symlink-based backdoor. This attack allows persistent and stealthy remote access to affected systems.
The discovery was made by Lexfo Security, and the infections are believed to have started as early as 2022. Despite patches being released by Fortinet for a related vulnerability, the backdoor installations still persist on many devices.
How the Attack Works:
It does not involve modifying firmware or installing conventional malware, which makes it difficult to detect.
The attackers exploited a critical vulnerability (CVE-2022-42475) in FortiGate devices to gain initial access.
They then created a symbolic link (symlink) to replace the legitimate /bin/fgfm binary with a malicious executable.
This malicious binary was executed by the system service configd, giving the attackers command execution capabilities on the device.
The backdoor allows remote control, persistence, and stealth, even surviving reboots or firmware upgrades.
Impact:
At least 16,500 devices worldwide are confirmed to be affected.
Victims include enterprise networks, government organizations, telecom companies, and other critical infrastructure sectors.
The attack campaign appears to be well-coordinated and long-running, potentially involving state-sponsored actors.
Detection and Indicators:
The attack may not show signs of tampering in firmware checks.
The symlink replaces /bin/fgfm and points it to a malicious payload (backdoor).
Files or logs involving suspicious symlink paths should be considered indicators of compromise (IOCs).
Recommendations:
- Inspect FortiGate devices for symlink anomalies, especially in the
/bin/directory. - Check for unauthorized modifications or unexpected behavior from system processes like
configd. - Apply the latest firmware updates and patches from Fortinet.
- If compromise is suspected, reset devices to factory settings and reconfigure from clean backups.
- Monitor official Fortinet and Lexfo advisories for updates and IOCs.
