
Suspected China-linked attackers have exploited the recently patched Fortinet FortiOS SSL-VPN vulnerability as a zero-day attack targeting European government agencies and managed service providers (MSPs) in Africa. bottom.
Telemetry evidence collected by Google-owned Mandiant indicates that the exploit occurred in October 2022, at least nearly two months before the fix was released.
Mandiant researchers said in a technical report, “This incident continues a pattern in China of exploiting Internet-connected devices, especially those used for managed security purposes (firewalls, IPS\IDS appliances, etc.). is.
The attack involved the use of sophisticated backdoors. bold moveLinux variant of , specifically designed to run on Fortinet’s FortiGate firewalls.
The intrusion vector in question is related to exploiting CVE-2022-42475. CVE-2022-42475 is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could lead to unauthenticated remote code execution via specially crafted requests.
Earlier this month, Fortinet announced that an unknown hacking group could take advantage of this shortcoming to deliver additional payloads and use general-purpose Linux implants that can execute commands sent from remote servers to target governments and other large corporations. It revealed that it targets large organizations.
Mandiant’s latest findings show that attackers have exploited the vulnerability as a zero-day exploit to gain access to targeted networks for espionage.
“With BOLDMOVE, the attackers not only developed exploits, they developed malware that demonstrated a deep understanding of systems, services, logging, and proprietary undocumented formats,” he said. said the threat intelligence firm.
The malware is written in C and is said to exist in both Windows and Linux variants. The latter can read data from his Fortinet proprietary file format. Metadata analysis of Windows flavors of Backdoor indicates that they were compiled as far back as his 2021, but no actual samples have been detected.
Designed to perform system probes, BOLDMOVE is a command and It can receive commands from the control (C2) server.
Enhanced Linux samples of the malware come with additional features to disable and manipulate logging to avoid detection, confirming Fortinet’s report.
“The exploitation of zero-day vulnerabilities in network devices and the subsequent installation of custom implants is consistent with previous exploitation of network devices in China,” said Mandiant.