A suspected China-based threat group exploited a flaw in Fortinet FortiOS SSL-VPN as a zero-day attack. The threat group targeted a government entity in Europe and an MSP based in Africa.
The exploitation
According to Mandiant’s recent report, the exploitation happened in October 2022, two months before the fixes were released.
- The attackers exploited internet-facing devices used for managed security purposes (e.g., IPS\IDS appliances, firewalls).
- The attacker used a heap-based buffer overflow flaw (CVE-2022-42475) in FortiOS SSL-VPN. It could end up in unauthenticated RCE using specifically crafted requests.
- The attacks used the BOLDMOVE backdoor, a Linux variant specifically created to run on Fortinet’s FortiGate firewalls.
Making a BOLDMOVE
The BOLDMOVE backdoor is written in C and supports both Windows and Linux systems. The Linux variant is equipped with a feature to read data from a file format proprietary to Fortinet.
- The Windows variants were compiled in 2021, however, no samples have been spotted in the wild so far.
- The threat performs a survey of the infected system and collects information that helps the attack uniquely identify the machine.
- It receives commands from a C2 server, allowing attackers to perform file operations, relay traffic via the infected host, and spawn a remote shell.
- An extended Linux sample of the malware disables and manipulates logging features (called Indicator Blocking) to avoid detection.
Conclusion
The recent report shows how attackers are exploiting zero-day flaws to target high-value targets such as MSP to gain access to a wider network of its customers. Further, the attackers are using custom implants, which is consistent with previous Chinese exploitation. Thus, organizations are suggested to plan their strategies by keeping these TTPs in consideration. It is suggested to have a robust patch management plan and ample security for sensitive data.