Recent cybersecurity intelligence has revealed a sophisticated exploitation of a patched vulnerability in Fortinet’s FortiOS SSL-VPN. This zero-day exploit is believed to have been leveraged by a suspected state-sponsored threat actor associated with China, targeting a government entity in Europe and a managed service provider (MSP) in Africa.
Evidence gathered by Mandiant, a subsidiary of Google, shows that the exploitation began as early as October 2022, which is notably two months prior to the release of security patches. The targeted attacks exemplify a trend where state actors exploit internet-facing security devices, such as firewalls and intrusion prevention systems, for complex cyber-espionage operations.
The attackers utilized a sophisticated backdoor named BOLDMOVE. This malware variant, specifically designed for Linux, targets Fortinet’s FortiGate firewalls. Mandiant’s technical report highlights that the limitations of CVE-2022-42475, a heap-based buffer overflow vulnerability, are central to the exploitation, enabling unauthenticated remote code execution through engineered queries.
Fortinet has previously indicated that several unidentified hacking groups have been utilizing this vulnerability to conduct operations against various governments and large organizations. The generic Linux implant employed allows further payload delivery and command execution via remote server instructions. Mandiant’s findings underscore that the attackers effectively exploited this zero-day vulnerability to gain access to targeted networks for espionage.
According to Mandiant, the BOLDMOVE malware demonstrates a significant understanding of the operational environment, utilizing intricate methods to manage systems, services, and proprietary formats. The malware, written in C, manifests in both Windows and Linux versions. The latter can read data from Fortinet’s proprietary file format, indicating advanced capabilities. Metadata analysis reveals compilation dates of the Windows versions as far back as 2021, although no in-the-wild samples have been reported.
Designed to conduct comprehensive system surveys, the BOLDMOVE malware can receive commands from a command-and-control (C2) server, enabling attackers to perform file operations, spawn remote shells, and facilitate traffic relay through compromised hosts. Notably, an advanced Linux variant of the malware incorporates features to manipulate logging functions, thereby evading detection, corroborating Fortinet’s reports regarding its misuse.
The exploitation of zero-day vulnerabilities in critical networking devices and subsequent deployment of customized implants aligns with previous activities attributed to Chinese threat actors. The tactics used in this incident reflect methodologies cataloged within the MITRE ATT&CK framework, particularly in areas such as initial access, persistence, and privilege escalation, underscoring the complexity and planning behind such cyber operations.
As the cybersecurity landscape continues to evolve, the implications of these attacks serve as a critical reminder for organizations to regularly assess their security postures and remain vigilant against emerging threats.