We were hacked
We were hacked by CVE-2022-40684. The attackers gained access yesterday. Based on my rudimentary knowledge of Fortinet log analysis, they first downloaded our system config file four times using the "Local_Process_Access". Then they created a fake admin "fortigate-tech-support" and uploaded & ran a script on our device. Created a ticket with Fortinet and their response was underwhelming "too bad, restore from backup". How about a more detailed analysis? How about downloading a copy of the script to see what it did? for a 9.6 CVSS that affects more than 100,000 devices world-wide we demand a better response than "too bad, restore from backup". #angry
Biting the hand that feeds IT
