A new cyber incident has emerged involving an unknown threat actor exploiting a vulnerability in Fortinet’s FortiOS software. The attack has resulted in significant data loss and corruption of operating systems and files, primarily targeting government entities and large organizations.
Fortinet researchers Guillaume Lovet and Alex Kong, in an advisory issued last week, suggested that the sophistication of the exploit indicates a highly advanced adversary specifically focused on governmental or affiliated organizations. The zero-day flaw, classified as CVE-2022-41328, has a CVSS score of 6.5, revealing a medium-severity path traversal vulnerability that could permit arbitrary code execution.
The identified vulnerability allows a privileged attacker to perform unauthorized file operations through specially crafted CLI commands, as noted by Fortinet. The exploit affects several versions of FortiOS, including 6.0, 6.2, and various releases in the 7.x range, prompting the company to issue patches in the more secure editions—6.4.12, 7.0.10, and 7.2.4.
The discovery of this flaw follows closely on the heels of Fortinet’s recent release of patches for 15 vulnerabilities, including CVE-2022-41328 and a critical heap-based buffer underflow issue (CVE-2023-25610) impacting both FortiOS and FortiProxy, the latter rated with a CVSS score of 9.3. Fortinet revealed this critical defect was detected after unspecified FortiGate devices experienced sudden failures and boot issues that hinted at potential breaches of operational integrity.
In-depth analysis revealed that the attackers manipulated the firmware of affected devices to embed a malicious payload named “/bin/fgfm.” This malware is programmed to establish a connection with a remote server to download additional files, exfiltrate sensitive data from the compromised systems, and provide remote shell access to the attacker.
Notably, additional modifications to the firmware may have granted the adversaries persistent access and control over the devices, potentially allowing them to disable firmware verification during startup processes. This degree of access suggests an intimate understanding of FortiOS and its underlying architecture, reinforcing the notion that the attack was executed by highly skilled individuals.
Given the targets have included governmental or government-associated entities, this incident raises significant concerns regarding national security. The tactics reflected in this attack—such as initial access through vulnerabilities, ongoing persistence via firmware manipulation, and probable privilege escalation—align with several techniques outlined in the MITRE ATT&CK framework, particularly under the categories of “Initial Access,” “Persistence,” and “Privilege Escalation.”
While it remains unknown if the threat actor is linked to previous campaigns exploiting various vulnerabilities in Fortinet products, the breadth and complexity of this attack underscore the importance of timely patching and rigorous security protocols within organizations, particularly those holding sensitive information.