Mandiant recently reported that a group of hackers originating from China utilized a vulnerability within FortiOS SSL-VPN that had only recently been discovered, and marked as a zero-day exploit, in December.
The hackers targeted both a government organization in Europe and an African-based managed service provider with a new, specifically designed malware called ‘BOLDMOVE’ that is capable of infecting both Linux and Windows operating systems.
The vulnerability, designated as CVE-2022-42475, was addressed by Fortinet in November without any public announcement.
However, in December, Fortinet made the vulnerability publicly known and urged their customers to take action in patching their devices, as it had been discovered that malicious actors were actively taking advantage of the flaw.
An unauthenticated attacker can exploit the flaw remotely and gain remote code execution capabilities or crash targeted devices from a remote location.
It was only recently that Fortinet provided further insights into how the vulnerability was exploited. They revealed that malicious actors had been targeting government organizations by utilizing custom-made malware, tailored to function on FortiOS devices, specifically.
The hackers aimed to maintain a foothold on the targeted devices by utilizing the custom malware to manipulate the FortiOS logging processes. The malware was programmed to patch the logging processes so as to remove certain entries or disable the logging altogether, in order to evade detection.
In December 2022, Mandiant discovered the BOLDMOVE backdoor which was being used to Exploit FortiOS Zero-Day (CVE-2022-4947) vulnerability.
The malware BOLDMOVE, which is written in the programming language C, has versions that can run on both Windows and Linux operating systems. The Linux variant of the malware specifically targets Fortinet devices, as it is able to read data from a file that is specific to Fortinet.
Several versions of the BOLD MOVE have been identified by Mandiant, varying in their capabilities, but a core set of features continues to be present in all samples, including the following:-
BOLDMOVE supports a number of commands that allow threat actors to perform the following things remotely:-
It is believed that the Windows version of the malware was compiled almost a year before the Linux version in 2021. This is almost a year earlier than the Linux version, but both of them operate with different libraries.
All the functionality outlined above is available in the extended version of BOLDMOVE, along with a number of new functions. Moreover, the Execution Guardrails (T1480) is included in the extended version, which verifies that a specific path is used for execution.
As a result, the following steps are taken to accomplish this goal:-
It is important to note that the Linux version of the software has a significant feature that allows it to work with FortiOS devices specifically, as opposed to the Windows version, and it’s one of the most significant differences between them.
Network Security Checklist – Download Free E-Book
Zero Trust is a security framework that operates under the assumption that no implicit trust…
Orange Cyberdefense has announced the development of InvokeADCheck, a new PowerShell module designed to streamline…
Traffic Distribution Systems (TDS) have emerged as critical tools for both legitimate and malicious purposes,…
Cybercriminals are evolving their phishing methods, employing more sophisticated social engineering tactics to deceive their…
Trend Micro's Managed XDR team has recently investigated a sophisticated Business Email Compromise (BEC) attack…
Kudelski Security Research recently published an article detailing advanced methods for tracking and analyzing threat…