Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products

Mandiant recently reported that a group of hackers originating from China utilized a vulnerability within FortiOS SSL-VPN that had only recently been discovered, and marked as a zero-day exploit, in December.

The hackers targeted both a government organization in Europe and an African-based managed service provider with a new, specifically designed malware called ‘BOLDMOVE’ that is capable of infecting both Linux and Windows operating systems.

The vulnerability, designated as CVE-2022-42475, was addressed by Fortinet in November without any public announcement.

However, in December, Fortinet made the vulnerability publicly known and urged their customers to take action in patching their devices, as it had been discovered that malicious actors were actively taking advantage of the flaw.

It was only recently that Fortinet provided further insights into how the vulnerability was exploited. They revealed that malicious actors had been targeting government organizations by utilizing custom-made malware, tailored to function on FortiOS devices, specifically.

The hackers aimed to maintain a foothold on the targeted devices by utilizing the custom malware to manipulate the FortiOS logging processes. The malware was programmed to patch the logging processes so as to remove certain entries or disable the logging altogether, in order to evade detection.

The malware BOLDMOVE, which is written in the programming language C, has versions that can run on both Windows and Linux operating systems. The Linux variant of the malware specifically targets Fortinet devices, as it is able to read data from a file that is specific to Fortinet.

Several versions of the BOLD MOVE have been identified by Mandiant, varying in their capabilities, but a core set of features continues to be present in all samples, including the following:-

Perform system survey
Receive commands from the C2 server
Spawn a remote shell
Relay traffic via the infected host

BOLDMOVE supports a number of commands that allow threat actors to perform the following things remotely:-

Manage files
Execute commands
Interactive shell creation
Backdoor control

Mandiant researchers explained that the bug is a local directory traversal zero-day vulnerability present in FortiOS, tracked as CVE-2022-41328, and was patched by Fortinet earlier in March 2023.

Researchers believe a threat actor with links to China accessed victim environments and deployed backdoors into Fortinet and VMware software to maintain persistence, achieved through the zero-day vulnerability, which the attacker used to deploy multiple custom malware strains on the OS.

Who is the Attacker?

Mandiant believes that a group with links to China, identified as UNC3886, is exploiting this vulnerability. This group is linked with the novel VMware ESXi hypervisor malware framework discovered in September 2022. At that time, Mandiant researchers noticed that UNC3886 was directly connected with FortiManager and FortiGate devices having VIRTUALPITA backdoors.

According to Mandiant CTO Charles Carmakal, Chinese threat actors have recently targeted DIB, telecoms, government, and technology. Since detecting if a system has been invaded is hard, the intrusions can carry on for years.

That’s why it is necessary for organizations to improve the security of these devices and keep checking for suspicious activity, researchers concluded.