Saturday, June 15, 2024

FortiOS SSL-VPN Zero-day Flaw Exploited to Attack Government Organizations

There have been a number of attacks against government organizations and government-related targets using FortiOS SSL-VPN zero-day vulnerabilities patched by Fortinet last month that have been exploited by unknown attackers.

A security flaw (CVE-2022-42475) was exploited in these incidents to empower attackers to gain remote code execution and crash targeted devices remotely.

This vulnerability can be attributed to a heap-based buffer overflow found in the FortiOS SSLVPNd application.

The network security company quietly fixed the bug on November 28th by releasing a new version (7.2.3) of the software that addressed the vulnerability. 

While in mid-December, the company urged its customers to download and install this patch to protect against the ongoing attacks that were exploiting the vulnerability without making noise.

The network security company first informed their customers about the vulnerability through a TLP: Amber advisory on the 7th of December, a confidential notification meant for restricted distribution. 

They later made additional information about the vulnerability available to the public on December 12, along with an alert that the vulnerability was being actively exploited and targeted by attackers in ongoing attacks.

Products Affected By Vulnerability

Here below we have mentioned the complete list of affected products:-

  • FortiOS version 7.2.0 through 7.2.2
  • FortiOS version 7.0.0 through 7.0.8
  • FortiOS version 6.4.0 through 6.4.10
  • FortiOS version 6.2.0 through 6.2.11
  • FortiOS version 6.0.0 through 6.0.15
  • FortiOS version 5.6.0 through 5.6.14
  • FortiOS version 5.4.0 through 5.4.13
  • FortiOS version 5.2.0 through 5.2.15
  • FortiOS version 5.0.0 through 5.0.14
  • FortiOS-6K7K version 7.0.0 through 7.0.7
  • FortiOS-6K7K version 6.4.0 through 6.4.9
  • FortiOS-6K7K version 6.2.0 through 6.2.11
  • FortiOS-6K7K version 6.0.0 through 6.0.14
  • FortiProxy version 7.2.0 through 7.2.1
  • FortiProxy version 7.0.0 through 7.0.7
  • FortiProxy version 2.0.0 through 2.0.11
  • FortiProxy version 1.2.0 through 1.2.13
  • FortiProxy version 1.1.0 through 1.1.6
  • FortiProxy version 1.0.0 through 1.0.7

Abused Zero-day to Target Networks of Government

It was found that the attacks of the threat actor were highly targeted, with the investigation indicating that the priority networks were those of the government.

Upon examination, the Windows sample linked to the attacker exhibited signs of being constructed on a computer in the UTC+8 timezone. This timezone encompasses various countries such as:- 

  • Australia
  • China
  • Russia
  • Singapore
  • Other Eastern Asian countries

They are suggesting that the attacker may be located in one of these regions. However, it’s important to note that this information is not definitive proof of the attacker’s location.

In order to achieve long-term access to the network, malicious actors focused heavily on avoiding detection. 

They leveraged the vulnerability to install malware that modifies FortiOS logging processes to delete specific logs or stop logging altogether, in order to conceal their activities.

There are the following artifacts present in the file system:-

  • /data/lib/libips.bak
  • /data/lib/
  • /data/lib/
  • /data/lib/
  • /data/lib/
  • /var/.sslvpnconfigbk
  • /data/etc/wxd.conf
  • /flash

According to further analyses of the malware installed on compromised appliances, malicious payloads included in the malware also disrupted the security violation detection capability of the compromised devices’ IPS, which constantly monitors network traffic to detect threats and block them whenever security breaches take place.


Here below we have mentioned the available solutions:-

  • Please upgrade to FortiOS version 7.2.3 or above
  • Please upgrade to FortiOS version 7.0.9 or above
  • Please upgrade to FortiOS version 6.4.11 or above
  • Please upgrade to FortiOS version 6.2.12 or above
  • Please upgrade to FortiOS version 6.0.16 or above
  • Please upgrade to upcoming FortiOS-6K7K version 7.0.8 or above
  • Please upgrade to FortiOS-6K7K version 6.4.10 or above
  • Please upgrade to FortiOS-6K7K version 6.2.12 or above
  • Please upgrade to FortiOS-6K7K version 6.0.15 or above
  • Please upgrade to FortiProxy version 7.2.2 or above
  • Please upgrade to FortiProxy version 7.0.8 or above
  • Please upgrade to upcoming FortiProxy version 2.0.12 or above

While for workaround availability, users have to Disable SSL-VPN. In order to protect their systems from attack attempts, Fortinet advises customers to make sure their FortiOS installation is up to date with the latest patch and contact its support team if they discover any IOCs related to attacks that occurred in December.

Network Security Checklist – Download Free E-Book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles