The attackers are targeting FortiOS customers, including an Africa-based MSP (managed service provider) and a European government entity.
Fortinet is an international provider of network security solutions that protect organizations from cyber threats. Lately, Fortinet’s products are quite popular among cybercriminals worldwide due to security vulnerabilities.
According to the latest report from cybersecurity firm Mandiant, a Chinese threat actor is using malware and exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN as a zero-day. The attacker is targeting an Africa-based MSP (managed service provider) and a European government entity.
Google-owned Mandiant discovered the malware in December 2022 which it dubbed BOLDMOVE. Further probe revealed that the threat actor exploited the vulnerability tracked as CVE-2022-42475.
Telemetry data suggested that the malicious activity started in October 2022, around two months before Fortinet released fixes. This bug allowed an unauthenticated attacker to execute arbitrary code on the compromised system and present it in different versions of the FortiOS and FortiProxy technologies.
Researchers were sure about the involvement of a China-based threat actor because the exploit activity showcased the Chinese pattern of exploiting internet-exposed devices, mainly those used for managed security purposes like IDS appliances and firewalls.
Furthermore, the backdoor was specifically designed to run on Fortinet FortiGate firewalls. The activity aims to conduct cyber-espionage operations against government entities or those associated with them.
About the Malware
As per Ben Read, Mandiant’s cyber-espionage analysis director, BOLDMOVE was discovered in December in a public repository and linked to the bug found earlier in FortiOS SSL-VPN because the company had released it in its initial vulnerability disclosure.
The backdoor is written in C and has two versions, one for Windows and the other a Linux version, which the adversary has probably customized for FortiOS. When the Linux version is executed, it tries to connect to a hardcoded C2 server.
If the attack is successful, BOLDMOVE collects information about the system it landed on and conveys it to the C2 server. Then the instructions are relayed to the malware, after which the adversary gains complete remote control of the impacted FortiOS device.
Read noted that some of the malware’s core functions, like the capability of downloading additional files or opening a reverse shell, are pretty typical. However, the customized Linux version is more dangerous as it can manipulate some features specific to the FortiOS.
“With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” Mandiant’s report read.