The FortiOS SSL-VPN zero-day vulnerability that Fortinet addressed last month was exploited by an unknown actor in attacks targeting governments and other large organizations.
In a postmortem analysis published this week, Fortinet researchers said, “The complexity of the exploit suggests it is a sophisticated attacker and highly targeted to government or government-affiliated targets.” says.
This attack contained an exploit for CVE-2022-42475. This is a heap-based buffer he overflow flaw that allows an unauthenticated, remote attacker to execute arbitrary code via specially crafted requests.
The infection chain they analyzed was modified for FortiOS, with the ability to compromise Fortinet’s Intrusion Prevention System (IPS) software and establish connections with remote servers to download additional malware and execute commands. It indicates that the end goal was to deploy a general-purpose Linux implant that was well-documented.
Fortinet said it was unable to recover the payload used in subsequent stages of the attack. It did not disclose when the break-in took place.
Additionally, the exploit reveals the use of obfuscation to thwart analysis and “advanced capabilities” to manipulate FortiOS logging and terminate the logging process to remain undetected.
“Search the elog file, which is a log of FortiOS events,” said the researchers. “After unzipping in memory, search for and remove attacker-specified strings and reconstruct the log.”
The network security firm also said the exploit required “a deep understanding of FortiOS and its underlying hardware” and that the attackers had the skills to reverse engineer various parts of FortiOS.
“Windows samples by the attackers discovered exhibited artifacts that were compiled on machines in the UTC+8 timezone, including Australia, China, Russia, Singapore, and other East Asian countries,” it added. I was.
