Skip to content

FortiOS SSL-VPN vulnerability is being exploited to target governments, even after being patched

  • by
  • 2 min read
NordVPN confirms that one of its datacenters was hacked

A vulnerability in Fortinet’s FortiOS SSL-VPN feature that was recently patched this Monday is now being used to target governments. The vulnerability is tracked as CVE-2022-4247, with a severity score of 9.3.

The bug was disclosed on December 12, with Fortinet suggesting disabling the SSL-VPN feature as a countermeasure before privately informing some customers of the attacks and the availability of patches. 

It’s a heap-based buffer overflow vulnerability and allows a remote attacker to execute malicious code or commands using specially crafted web requests. Fortinet had also reported that the exploit was available in the wild. 

Initial assumptions about threat actors exploiting the vulnerability placed suspicions on ransomware groups, as pointed out by security researcher Kevin Beaumont on Mastodon. However, further investigation revealed that a state-sponsored actor was likely behind the exploits, posing as a ransomware group. 

The attacks are highly targeted and deliver additional payloads containing a variant of a generic Linux malware meant to compromise the FortiOS operating system. Analysis of some captured payloads indicated that attackers were trying to execute commands and manipulate FortiOS’ logging features in addition to downloading additional malicious programs. 

The malware attempts to patch the FortiOS logging process in an attempt to change logs. It can also kill the entire logging process, making detection and repair difficult. 

Overall, Fortinet seems to be dealing with a rather advanced threat actor here, who admittedly has a good understanding of FortiOS and the underlying hardware works. Additionally, custom implants further bolsters the threat actor’s capabilities. 

Fortinet has no clue who this threat actor might be at the time of writing. However, captured Windows samples were compiled on a machine in the UTC+8 timezone. This means that the threat actor might be based out of Australia, China, Russia, Singapore or other Eastern Asian countries.

In the News: Google Ad phishing campaign found distributing Rhadamanthys malware