Headline
Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
By Deeba Ahmed Chinese hackers are exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN by using new malware called BOLDMOVE. This is a post from HackRead.com Read the original post: Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
The attackers are targeting FortiOS customers, including an Africa-based MSP (managed service provider) and a European government entity.
Fortinet is an international provider of network security solutions that protect organizations from cyber threats. Lately, Fortinet’s products are quite popular among cybercriminals worldwide due to security vulnerabilities.
According to the latest report from cybersecurity firm Mandiant, a Chinese threat actor is using malware and exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN as a zero-day. The attacker is targeting an Africa-based MSP (managed service provider) and a European government entity.
Findings Details
Google-owned Mandiant discovered the malware in December 2022 which it dubbed BOLDMOVE. Further probe revealed that the threat actor exploited the vulnerability tracked as CVE-2022-42475.
Telemetry data suggested that the malicious activity started in October 2022, around two months before Fortinet released fixes. This bug allowed an unauthenticated attacker to execute arbitrary code on the compromised system and present it in different versions of the FortiOS and FortiProxy technologies.
Researchers were sure about the involvement of a China-based threat actor because the exploit activity showcased the Chinese pattern of exploiting internet-exposed devices, mainly those used for managed security purposes like IDS appliances and firewalls.
Furthermore, the backdoor was specifically designed to run on Fortinet FortiGate firewalls. The activity aims to conduct cyber-espionage operations against government entities or those associated with them.
About the Malware
As per Ben Read, Mandiant’s cyber-espionage analysis director, BOLDMOVE was discovered in December in a public repository and linked to the bug found earlier in FortiOS SSL-VPN because the company had released it in its initial vulnerability disclosure.
The backdoor is written in C and has two versions, one for Windows and the other a Linux version, which the adversary has probably customized for FortiOS. When the Linux version is executed, it tries to connect to a hardcoded C2 server.
If the attack is successful, BOLDMOVE collects information about the system it landed on and conveys it to the C2 server. Then the instructions are relayed to the malware, after which the adversary gains complete remote control of the impacted FortiOS device.
Read noted that some of the malware’s core functions, like the capability of downloading additional files or opening a reverse shell, are pretty typical. However, the customized Linux version is more dangerous as it can manipulate some features specific to the FortiOS.
“With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” Mandiant’s report read.
- Chinese Hackers Hiding Malware in Windows Logo
- Hackers exploiting critical vulnerabilities in Fortinet VPN
- FBI issues flash alert after APT groups exploited VPN flaws
- Hackers dump login data of Fortinet VPN users in plain-text
- Windows, Linux & macOS Users Targeted by Chinese Group
Related news
More on the recent Snowflake breach, MFA bypass techniques and more.
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
By Deeba Ahmed Patch Now or Get Hacked: Researchers Confirm Potentially Active Exploitation of One of the FortiOS Flaws in the Wild. This is a post from HackRead.com Read the original post: CISA and Fortinet Warns of New FortiOS Zero-Day Flaws
Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. "A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially
By Deeba Ahmed Chinese state-backed hackers targeted Dutch military networks by exploiting a vulnerability in a FortiGate device. This is a post from HackRead.com Read the original post: Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT
Chinese state-backed hackers broke into a computer network that's used by the Dutch armed forces by targeting Fortinet FortiGate devices. "This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD) said in a statement. "Because this system was self-contained, it did not lead to any damage to the
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems. “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized
Users urged to apply updates to FortiOS SSL-VPN after attackers may have leveraged a recently discovered vulnerability in attacks against government, manufacturing, and critical infrastructure organizations.
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were
The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week. The
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
The U.S. National Security Agency (NSA) on Tuesday said a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as CVE-2022-27518, could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and
Fortinet on Monday issued emergency patches for a severe security flaw affecting its FortiOS SSL-VPN product that it said is being actively exploited in the wild. Tracked as CVE-2022-42475 (CVSS score: 9.3), the critical bug relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests. The company said