Patched Fortinet flaw still being exploited by Chinese hackers

February 2, 2023 - TuxCare PR Team

Chinese hackers were discovered using a recently discovered flaw in Fortinet’s FortiOS software as a zero-day vulnerability to distribute malware.

CVE-2022-42475 (CVSS score of 9.8) is a buffer overflow vulnerability that could be exploited by remote, unauthenticated attackers to execute code or commands via crafted requests. FortiOS SSL-VPN versions 7.2.0 – 7.2.2, 7.0.0 – 7.0.8, 6.4.0 – 6.4.10, 6.2.0 – 6.2.11, and 6.0.15 and earlier, as well as FortiProxy SSL-VPN versions 7.2.0 – 7.2.1, and 7.0.7 and earlier, are affected by the flaw.

The new malware has been identified as “BOLDMOVE” by Mandiant. It went on to say that it discovered a Windows variant of BOLDMOVE as well as a Linux variant that is specifically designed to run on FortiGate Firewalls. The hackers, who are thought to be state-sponsored, are exploiting the vulnerability to deliver malware and gain access to sensitive data.

BOLDMOVE is intended to perform a system survey and is capable of receiving commands from a command-and-control (C2) server, allowing attackers to perform file operations, launch a remote shell, and relay traffic through the infected host.

“We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups,” Mandiant said on its website.

“With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats,” the threat intelligence firm said.

Mandiant stated that it has not directly observed the vulnerability being exploited; however, samples of the BOLDMOVE Linux variant have a hard coded C2 IP address that Fortinet identified as being involved in the exploitation, implying that CVE-2022-49475 was exploited to deliver BOLDMOVE. Mandiant also revealed a Windows version in addition to the Linux version. BOLDMOVE for Windows appears to have been compiled as early as 2021. However, Mandiant has not seen this malware in action, so it is unknown how it was used. This post includes an in-depth analysis of the malware.

The malware, written in C, is said to come in both Windows and Linux flavors, with the latter capable of reading data from a Fortinet-exclusive file format. The backdoor’s Windows variants were compiled as far back as 2021, according to metadata analysis, though no samples have been found in the wild.

The sources for this piece include an article in BleepingComputer.

Summary