Headline
Attackers Crafted Custom Malware for Fortinet Zero-Day
The “BoldMove” backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.
Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet’s FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet’s FortiGate firewalls.
The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.
Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet’s FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.
BoldMove Backdoor
Mandiant said the malware it discovered in December — and is tracking as “BoldMove” — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.
The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.
Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.
“The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices,” Read says. “Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices.”
The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. “The Windows sample we have is 32-bit, so [it] should run on most modern versions of Windows but could be compiled to run on 64-bit machines,” Read says. It would not run on a Fortinet device, however.
Tech Chops
The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.
Developing exploits for these technologies can be challenging and require substantial resources and technical chops.
With BoldMove, “the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.
While Fortinet’s products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.
Schooled in FortiOS
Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a “generic” Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet’s IPS engine on compromised systems.
Among the malware’s more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet said.
According to Fortinet, developing the exploit would have required the threat actor to have a “deep understanding” of FortiOS and the underlying hardware. “The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS,” the vendor said.
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
By Deeba Ahmed Patch Now or Get Hacked: Researchers Confirm Potentially Active Exploitation of One of the FortiOS Flaws in the Wild. This is a post from HackRead.com Read the original post: CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. "A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially
By Deeba Ahmed Chinese state-backed hackers targeted Dutch military networks by exploiting a vulnerability in a FortiGate device. This is a post from HackRead.com Read the original post: Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT
Chinese state-backed hackers broke into a computer network that's used by the Dutch armed forces by targeting Fortinet FortiGate devices. "This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD) said in a statement. "Because this system was self-contained, it did not lead to any damage to the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized
Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
By Deeba Ahmed Chinese hackers are exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN by using new malware called BOLDMOVE. This is a post from HackRead.com Read the original post: Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week. The
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said