Recently, cybercriminals and nation-states have been exploiting a zero-day vulnerability in Fortinet FortiOS’ operating system to launch targeted cyberattacks against government entities. The flaw, CVE-2022-40684, allows attackers to bypass authentication by sending specially crafted HTTP or HTTPS requests on the administrative interface.
Fortinet has urgently advised users to upgrade their affected devices. The company states it is also aware of Proof-of-Concept code being actively exploited due to this vulnerability.
1. CVE-2022-41328
Security researchers have uncovered evidence that an unknown threat actor exploited a critical vulnerability in Fortinet FortiOS to infect government and government-related entities with custom malware. The flaw, identified as CVE-2022-41328, allows remote attackers to execute arbitrary code on vulnerable systems and has been assigned a severity rating of 9.8 out of 10 points.
An attacker could exploit this vulnerability to obtain remote administrative access to affected systems and alter their functionality. Depending on the attack methods employed, an attacker may be able to perform any task necessary for compromise of an organization, including altering network configurations, adding malicious users, and intercepting network traffic according to Fortinet.
Threat actor(s) were able to exploit a flaw before Fortinet released a patch in November, suggesting they had some kind of advanced knowledge about the Fortinet platform and hardware, according to security researcher Gitworm on Twitter in a tweet.
Experts are urging Fortinet and customers with FortiOS, FortiProxy, and FortiSwitchManager to upgrade their devices as soon as possible. The Cybersecurity and Infrastructure Security Agency added these vulnerabilities to its Known Exploited Vulnerabilities Catalog – a list of critical flaws being actively exploited by cybercriminals.
These unpatched vulnerabilities have long been a popular target for Russian state-sponsored hackers, who have been using them to breach U.S. federal agencies for several years now.
Mandiant researchers believe state-sponsored threat actors will exploit these vulnerabilities on internet-facing security appliances such as firewalls and IPS/IDS security appliances, since these often lack native network security mechanisms. This provides cybercriminals with a convenient avenue to take control of these systems and launch further attacks.
Researchers also note that unpatched security holes like these are attractive to state-backed cybercriminals since they enable them to launch targeted attacks across a range of systems. Furthermore, the lack of native security controls makes it harder for defenders to monitor which processes are running on devices.
Accordingly, federal agencies are encouraged to prioritize and apply patches or workarounds for the affected vulnerabilities as soon as possible. Doing so should significantly reduce the attack surface that malicious actors have when targeting government networks.
2. CVE-2022-42475
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to government entities about updating their firewall and VPN devices due to evidence from recent cyberespionage campaigns against European and African governments. They discovered that hackers took advantage of a flaw in Fortinet FortiOS SSL-VPN technology in order to gain access to their networks.
This vulnerability, identified as CVE-2022-42475 in December 2022, allowed Fortinet’s FortiOS devices to crash remotely and gain remote code execution on the device itself. Although patched in November, further information about how attackers exploited it wasn’t revealed publicly until January 2023 when Fortinet revealed more specifics regarding how this flaw had been exploited.
Mandiant researchers discovered that threat actors had created the BoldMove malware to take advantage of this vulnerability on FortiOS-based devices. According to Mandiant, this malicious software is currently being distributed in China in an effort to conduct cyberespionage operations against various government entities worldwide.
Threat actors can use this malware to harvest credentials and launch additional attacks against a target’s network. Furthermore, it has the capability of remotely invading mobile devices and accessing stored data on them.
Additionally, this malware has the capability to execute commands on other devices. Attackers could potentially leverage this capability for a full takeover of infected devices, including gaining administrative privileges.
However, in order to exploit this vulnerability, the threat actor must have physical access to the infected device. This requires installing malware on a local machine with access to the targeted network.
This vulnerability has been rated critical and is being actively exploited in the wild, so organizations should patch it now. Since this affects both Fortinet’s FortiOS and FortiSwitchManager software, companies should take immediate remediation measures. Companies should disable VPN-SSL on affected devices and set access rules that only permit connections from specific IP addresses. Moreover, administrators should review their logs for activity related to this issue, as well as upgrading to an updated version of Fortinet’s software if necessary.
3. CVE-2022-39952
In November, Fortinet discovered and patched a critical heap-based buffer overflow in its FortiOS SSL VPN product that had been exploited by attackers to remotely compromise various government entities. The flaw is identified as CVE-2022-42475 and has been assigned a severity rating of 9.8 out of 10;
On Wednesday, the National Cyber Security Centre (NCSC) issued a warning that over 600 UK-based devices are vulnerable to exploitation due to an ongoing Chinese threat campaign. Hackers have stolen and published credentials from many of these machines which have now become infected with advanced custom malware, according to NCSC findings.
These information enabled the attackers to manipulate FortiOS logs and craft an exploit that granted them full administrative access on infected systems. Furthermore, they used this exploit to steal credentials from other Fortinet devices connected to the same network.
According to the NCSC, attackers used this exploit in the UK to gain access to a network and send out phishing emails that duped users into downloading and installing malware. Fortinet released a security advisory in December highlighting this issue and encouraging those affected by it to update their devices with the most up-to-date patch.
On Monday, Fortinet issued an updated security advisory highlighting that their vulnerability is being actively exploited in the wild. They warn that if not patched, an attacker can bypass authentication on FortiOS, FortiProxy and FortiSwitchManager products using specially crafted HTTP resource requests.
According to Fortinet’s advisory, malicious actors are exploiting an Authentication Bypass vulnerability in FortiOS and FortiProxy to gain administrative access on infected systems. As a result, customers should immediately validate their systems against an indicator of compromise found in device logs: user=’Local_Process_Access’.
Furthermore, Fortinet strongly suggests customers implement network-based detection and threat hunting to detect any signs of post-exploitation. This includes reviewing system logs for anomalies in network behavior.
Establishing an effective incident management strategy to deal with the aftermath of an attack is critical for protecting an organisation from further attacks. Fortinet’s incident response services offer a team of experienced specialists to quickly respond and contain an attack as efficiently as possible.
4. CVE-2023-25610
Mandiant has recently reported that an unknown threat actor used a zero-day flaw in Fortinet FortiOS SSL-VPN to launch targeted cyberattacks against government entities. This attack took advantage of a heap-based buffer overflow vulnerability patched by Fortinet in November but not mentioned in their release notes.
This vulnerability, with a CVSS score of 9.3, allows an attacker to bypass authentication and perform operations on the administrative interface via specially crafted HTTP requests. This issue affects Fortinet’s FortiOS and FortiProxy products, with the company warning that compromised systems could allow malicious actors to “do pretty much anything.”
Security devices are typically the last place organizations want to leave themselves vulnerable to exploitation, since they offer limited insight into the device’s internal workings. But in this instance, Mandiant reports a security flaw in FortiOS operating system allowed Chinese hackers to create malware backdoors which allowed them to gain persistent access and control over affected devices.
Mandiant has identified a malware analysis of BOLDMOVE, an exploit package. This malware includes a full-featured backdoor that utilizes a zero-day exploit to infect FortiOS devices and remain persistent after infection is complete. Once activated, this backdoor can receive commands from a C2 server, perform system surveying, send network requests to internal Fortinet services and relay traffic through the compromised device.
The backdoor can also be exploited to maintain persistence on an exploited device by patching FortiOS logging processes or disabling it altogether, making it harder for defenders to detect the extent of an attack. Furthermore, backdoors have been known to relay malicious network traffic through compromised devices, giving hackers another avenue for further attacks against networks they have compromised.
Mandiant identified the flaw as a “significant vulnerability,” with an “extraordinarily large impact.” They believe it’s part of an emerging trend where China is using Internet-facing security devices to penetrate government organizations and other critical infrastructure entities, gaining access to sensitive data.
