February 4, 2023

Mandiant researches came with a latest report, a Chinese threat actor is using malware and exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN as a zero-day.

The malware dubbed BOLDMOVE, was discovered in December 2022. Further probe revealed that the threat actor exploited the vulnerability tracked as CVE-2022-42475.

The backdoor was specifically designed to run on Fortinet FortiGate firewalls. The activity aims to conduct cyber-espionage operations against government entities or those associated with them.

Advertisements

The backdoor is written in C and has two versions, one for Windows and the other a Linux, which the adversary has probably customized for FortiOS. When the Linux version is executed, it tries to connect to a hardcoded C2 server.

It then collects information about the system and shares the details with C2 server. Then the instructions are relayed to the malware, after which the adversary gains complete remote control of the impacted FortiOS device.

The malware’s core functions, like the capability of downloading additional files or opening a reverse shell, are pretty typical. The customized Linux version is more dangerous as it can manipulate some features specific to the FortiOS.

The malicious activity started in October 2022, around two months before Fortinet released fixes. This bug allowed an unauthenticated attacker to execute arbitrary code on the compromised system and present it in different versions of the FortiOS and FortiProxy technologies

The exploit activity showcased the Chinese pattern of exploiting internet-exposed devices, mainly those used for managed security purposes like IDS appliances and firewalls. This confirms the involvement of Chinese based threat actors.

Advertisements

Indicators of Compromise

  • Basic BOLDMOVE
    • MD5: 12e28c14bb7f7b9513a02e5857592ad7
    • SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
  • Extended BOLDMOVE
    • MD5: 3191cb2e06e9a30792309813793f78b6
    • SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
  • Windows version of BOLDMOVE
    • MD5: 54bbea35b095ddfe9740df97b693627b
    • SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd

Leave a Reply

%d bloggers like this: