Attackers deploy sophisticated Linux implant on Fortinet network security devices

In December network security vendor Fortinet disclosed that a critical vulnerability in its FortiOS operating system was being exploited by attackers in the wild. This week, after additional analysis, the company released more details about a sophisticated malware implant that those attackers deployed through the flaw.

Based on currently available information, the original zero-day attack was highly targeted to government-related entities. However, since the vulnerability has been known for over a month, all customers should patch it as soon as possible as more attackers could start using it.

Remote code execution in FortiOS SSL-VPN

The vulnerability, tracked as CVE-2022-42475, is in the SSL-VPN functionality of FortiOS and can be exploited by remote attackers without authentication. Successful exploitation can result in the execution of arbitrary code and commands.

Fortinet rated the vulnerability 9.3 (Critical) on the CVSS scale and released updates to major variants of FortiOS, FortiOS-6K7K and FortiProxy, the company’s secure web gateway product. FortiOS runs on the company’s FortiGate network security firewalls and other appliances.

One workaround for customers who can’t immediately deploy the updates is to disable SSL-VPN entirely, which might be difficult for organizations that rely on this functionality to support their remote or hybrid work environments. Fortinet has also released an IPS (intrusion prevention system) signature for detecting exploit attempts, as well as detection rules for the known implant in its antivirus engine.

Customers can also search their logs for the following entries which could indicate exploitation attempts:

Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]”

Implant hiding as Trojanized version of FortiOS IPS Engine

In the attack analyzed by Fortinet, the attackers exploited the vulnerability and copied a Trojanized version of the FortiOS IPS Engine to the filesystem. This indicates the attackers are highly skilled and capable of reverse engineering custom FortiOS components.

The rogue version of the IPS Engine was saved on the filesystem as /data/lib/libips.bak and is a copy of the legitimate /data/lib/libips.so but with malicious modifications. Namely, the rogue version exports two legitimate functions called ips_so_patch_urldb and ips_so_query_interface that are normally part of the legitimate libips.so, but hijacks them to execute code stored in other malicious components.

“If libps.bak is named libips.so in the /data/lib directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions,” the Fortinet analysts said. “The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised.”

In other words, once the malicious version is executed, the legitimate IPS functionality no longer works correctly. The hijacked functions execute malicious code which then reads and writes to a number of files called libiptcp.so, libgif.so, .sslvpnconfigbk, and libipudp.so.

The analysts were not able to recover all these files from the compromised appliance they analyzed, so the full attack chain is not known. However, they did find a file called wxd.conf whose contents are similar to the config file for an open-source reverse proxy that can be used to expose a system behind NAT to the internet.

Analysis of network packet captures from the appliance suggested the malware connected two external attacker-controlled servers to download additional payloads and commands to execute. One of the servers was still in operation and had a folder containing binaries built specifically for different FortiGate hardware versions. This allowed the researchers to analyze additional files they believe attackers executed on the systems to manipulate the logging functionality in FortiOS.

According to the researchers:

• The malware patches the logging processes of FortiOS to manipulate logs to evade detection. – /bin/miglogd & /bin/syslogd.
• It includes offsets and opcodes for 27 FortiGate models and version pairs. The malware opens a handle to the processes and injects data into them.
• Versions range from 6.0.5 to 7.2.1.
• Models are FG100F, FG101F, FG200D, FG200E, FG201F, FG240D, FG3H0E, FG5H0E, FG6H1E, FG800D, FGT5HD, FGT60F, FGT80F.
• The malware can manipulate log files. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.
• The malware can also kill the logging processes. 

The researchers also found a sample on the VirusTotal online scanner of a Windows binary that has code similarities to the Linux binary found on FortiOS. That Windows sample was compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries. The self-signed certificates used by the attackers were also created between 3 and 8 am UTC. “It is difficult to draw any conclusions from this given hackers do not necessarily operate during office hours and will often operate during victim office hours to help obfuscate their activity with general network traffic,” the researchers said.

The Fortinet advisory contains many indicators of compromise, including file paths, file hashes, IP addresses, and even signatures to detect malicious communication by this implant inside network packet captures.