September 25, 2023

Mandiant researches came with a latest report, a Chinese threat actor is using malware and exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN as a zero-day.

The malware dubbed BOLDMOVE, was discovered in December 2022. Further probe revealed that the threat actor exploited the vulnerability tracked as CVE-2022-42475.

The backdoor was specifically designed to run on Fortinet FortiGate firewalls. The activity aims to conduct cyber-espionage operations against government entities or those associated with them.

Advertisements

The backdoor is written in C and has two versions, one for Windows and the other a Linux, which the adversary has probably customized for FortiOS. When the Linux version is executed, it tries to connect to a hardcoded C2 server.

It then collects information about the system and shares the details with C2 server. Then the instructions are relayed to the malware, after which the adversary gains complete remote control of the impacted FortiOS device.

The malware’s core functions, like the capability of downloading additional files or opening a reverse shell, are pretty typical. The customized Linux version is more dangerous as it can manipulate some features specific to the FortiOS.

The malicious activity started in October 2022, around two months before Fortinet released fixes. This bug allowed an unauthenticated attacker to execute arbitrary code on the compromised system and present it in different versions of the FortiOS and FortiProxy technologies

The exploit activity showcased the Chinese pattern of exploiting internet-exposed devices, mainly those used for managed security purposes like IDS appliances and firewalls. This confirms the involvement of Chinese based threat actors.

Advertisements

Indicators of Compromise

  • Basic BOLDMOVE
    • MD5: 12e28c14bb7f7b9513a02e5857592ad7
    • SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
  • Extended BOLDMOVE
    • MD5: 3191cb2e06e9a30792309813793f78b6
    • SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
  • Windows version of BOLDMOVE
    • MD5: 54bbea35b095ddfe9740df97b693627b
    • SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd
Tags:

Leave a Reply

You may have missed

BlackCat adds Clarion to its Victim list

September 24, 2023

TheCyberThrone Security Week In Review – September 23, 2023

September 24, 2023

MGM Resorts and Ceasars Attacks – Lesson Learnt

September 23, 2023

CISA KEV Update September 2023 – Part II

September 23, 2023

Air Canada Reveals Data Exposure due to a Cyberattack

September 23, 2023

SandMan APT Group in action against Telcos

September 22, 2023
%d bloggers like this: