Suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks which are targeting a European government entity and a managed service provider (MSP)that is located in Africa.
Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation is occurred as early as October 2022which is at least nearly two months before fixes were released.Suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks
This incident continues in China’s pattern of exploiting internet facing devices which specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.).
The attacks entailed the use of a sophisticated backdoor dubbed BOLDMOVE which is a Linux variant of which is specifically designed to run on Fortinet’s FortiGate firewalls.
The intrusion vector in question relates to the exploitation of CVE-2022-42475 which is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution through specifically crafted requests.
Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant which is capable of delivering additional payloads and executing commands that are sent by a remote server.
The latest findings from Mandiant indicates that the threat actor managed to abuse vulnerability as a zero-day for its advantage and breach targeted networks for espionage operations.
With BOLDMOVE that are the attackers not only developed an exploit and malware that shows an in-depth understanding of systems, servicesand undocumented proprietary .
The malware which is written in C is said to have windows and Linux flavors with latter capable of reading data from a file format that is proprietary to Fortinet. Metadata analysis of the Windows variants of the backdoor shows they were compiled in 2021, although there is no samples have been detected in the wild.
BOLDMOVE is designed to carry out a system survey which is capable of receiving commands from a command-and control (C2) server that allows attackers to perform file operations which spawn a remote shell, and relay traffic through the infected host.