Over 16,000 internet-connected Fortinet devices have been identified as having a new symlink backdoor that permits read-only access to sensitive data on previously compromised systems.
The Shadowserver Foundation, a threat monitoring platform, has stated that 14,000 machines were exposed. Earlier this week, Shadowserver’s Piotr Kijewski told a local media source that the cybersecurity firm now recognises 16,620 devices affected by the newly discovered persistence method.
Last week, Fortinet notified customers that they had found a new persistence mechanism employed by a threat actor to maintain read-only remote access to files in the root filesystem of previously hacked but now patched FortiGate devices.
Fortinet stated that this was not due to the exploitation of new vulnerabilities, but rather to attacks beginning in 2023 and continuing into 2024, in which a threat actor used zero days to compromise FortiOS devices.