LLMs Used in Attacks Targeting FortiGate VPNs

- A Chinese state-sponsored hacking group targeted a zero-day vulnerability (CVE-2022-42475) in FortiGate devices, compromising at least 20,000 systems worldwide between 2022 and 2023. The group infected 14,000 of these devices before Fortinet publicly disclosed the vulnerability. - In the campaign against FortiGate devices, the threat actors deployed a sophisticated and persistent backdoor called "COATHANGER". This malware is designed to be stealthy and survive reboots and firmware upgrades, making it difficult to detect and remove. - This is part of a larger pattern of attacks against network edge devices; another major recent example is the "Citrix Bleed" vulnerability (CVE-2023-4966). This flaw allowed attackers to hijack authenticated user sessions and was exploited by multiple threat groups, including affiliates of the LockBit ransomware gang. - The use of AI in attacks is not limited to post-exploitation; cybercriminals are using uncensored LLMs that lack ethical safeguards to generate malicious code and create highly convincing phishing emails. - Fortinet's SSL VPN, the specific technology targeted, has had a history of critical vulnerabilities. Attackers have exploited three similar remote code execution flaws in the same software in two years (CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762). - This trend of targeting remotely accessible services was also seen in the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1709 and CVE-2024-1708). The critical authentication bypass flaw received the highest possible CVSS severity score of 10.0 due to its ease of exploitation. - After initial access, some attackers have been found to create a symbolic link (symlink) on compromised FortiGate devices. This technique allowed them to maintain read-only access to system files, including configurations, even after the device was patched.