In December 2022, security company Mandiant, now a Google Cloud company, identified a FortiOS malware written in C that exploited the CVE-2022-42475 FortiOS vulnerability. According to Mandiant, the malware, which it has termed BOLDMOVE, exists in both Linux and Windows variants.
What is the CVE-2022-42475 vulnerability?
This critical vulnerability affects FortiOS, an operating system developed by Fortinet, and consists of a heap-based buffer overflow in FortiOS SSL-VPN which may allow an attacker to execute code or commands via specially crafted requests. The vulnerability was patched by Fortinet three days after its discovery but was used by at least one threat actor prior to the patching.
A detailed analysis of the vulnerability done by Fortinet reveals that “the complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
Security researcher Kevin Beaumont also reported that a ransomware group is exploiting it, without further details though.
How does BOLDMOVE work?
The Windows version, although not seen used in the wild, appears to have been compiled as early as 2021. It is possible the malware was used in the wild since that time, without containing any exploitation of CVE-2022-42475. Only the Linux version of the malware triggers that exploit.
The Linux version of the malware, when executed, performs a system survey and enables communications with a hardcoded command-and-control server. It can also execute shell commands or relay network traffic. Different versions of the malware have been found by the researchers, with at least one variant able to “alter specific behaviors and functionalities of Fortinet devices, namely FortiGate Firewalls.”
SEE: The rise of Linux malware: 9 tips for securing the OSS (TechRepublic)
The system survey done by the malware collects several pieces of information, including the operating system version, the host name, network interface information, the user ID of the backdoors process and the process ID of the malware process.
As for the functionalities supported by the malware, every expected functionality for a backdoor is here, including list/create/delete directories or files, execute shell commands with or without sending back the output to the attacker, and provide network relay capabilities.
The backdoor also has extended features such as verifying that it is executed only from a particular path and disabling Fortinet daemons miglogd and syslogd in a probable attempt to disable logging capabilities on the affected devices.
Further, the malware enables the attacker to remove or modify parts of the proprietary Fortinet logs on the system.
The Chinese lead
Mandiant assesses with low confidence that the operation has ties to the People’s Republic of China. Historically, the Chinese clusters of cyberespionage threat actors have always shown a particular interest in targeting network appliances and devices and their operating systems. Chinese threat actors compromised Pulse Secure VPN appliances in the past or exploited zero-day vulnerabilities in SonicWall Email Security Product.
The compiled timestamps of the malware variants reveal a probable development of the malware in the UTC+8 time zone, which includes Australia, China, Russia, Singapore and other Eastern Asian countries, on a machine configured to display Chinese characters.
A specific buffer used by the malware varies from Windows to Linux versions. The Windows value of it is “utf-8,” which indicates the buffer designates the character encoding. The Linux version shows “gbk” instead, which is an extension of a Chinese character set.
The geographic location of the targets is also consistent with previous Chinese operations, according to Mandiant.
A threat that is difficult to detect
Mandiant researchers report on the growing number of managed, internet-facing devices targeted by Chinese threat actors. Attacks via those devices are very difficult to detect, as defenders often have little to no information on those devices — some of them not even having any logging system.
Network devices are most often blind spots not covered by security solutions and allow attackers to hide there and stay undiscovered for long periods in addition to providing a persistent foothold on a targeted network.
Those systems should always be updated and patched, without delay, and logging should be enabled when possible and exported to security tools for detection and analysis. In a more general case, it is advised to always have all systems and their software updated and patched to avoid compromises via common vulnerabilities.
Although it is difficult to detect compromises on network devices and appliances, attackers still need to operate on the other parts of the compromised network; thus, endpoints and servers should be carefully checked for anomalous events.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
