Following Fortinet’s disclosure of a severe vulnerability in its FortiOS SSL-VPN feature, Mandiant researchers have discovered a China-based campaign believed to have exploited this vulnerability as a zero-day.
As part of their investigation, researchers have discovered a new malware dubbed ‘Boldmove’, specifically designed to target Fortigate firewalls. So far, a Windows and Linux variant has been discovered. Both are written in C, and the Linux version seems to be made to run on Fortinet devices, at least in part, as it reads data from a file exclusive to Fortinet devices.
While Mandiant hasn’t directly seen the malware exploit the vulnerability, it does include hardcoded Command and Control (C2) IP addresses that have previously been involved with the vulnerability’s exploitation, indicating that the bug was in fact exploited to deliver the malware to targeted systems.
After executing on an infected system, the malware attempts to connect to a hardcoded C2 server and relays important system information back to the attacker if the connection is successful. The operators can then use this backdoor to eventually gain full system access as well to deploy additional malware.
While the capabilities mentioned above are usually found in malware of this kind, the Linux variant of Boldmove can also manipulate specific features of FortiOS, something that requires an in-depth understanding of the product and is not usually seen in malware.
The malware was discovered in December 2022, and telemetry data suggests that exploitation was taking place as early as October 2022. Targets included a managed services provider in Africa as well as a government entity in Europe.
Currently, Mandiant has associated the bug with Chinese threat actors with low confidence, as China-based TAs have previously shown interest in targeting network devices. Additionally, the geographical and sector targeting is also consistent with previous Chinese operations.
As for the vulnerability itself, it’s tracked as CVE-2022-42475, with a severity score of 9.3. The bug was disclosed on December 12, with Fortinet suggesting disabling the SSL-VPN feature as a countermeasure before privately informing some customers of the attacks and the availability of patches.
It’s a heap-based buffer overflow vulnerability and allows a remote attacker to execute malicious code or commands using specially crafted web requests. Fortinet had also reported that the exploit was available in the wild.
Initial assumptions about threat actors exploiting the vulnerability placed suspicions on ransomware groups, as pointed out by security researcher Kevin Beaumont on Mastodon. However, further investigation revealed that a state-sponsored actor was likely behind the exploits, posing as a ransomware group.