Last fall, Chinese hackers used a vulnerability in FortiOS SSL-VPN as a 0-day attack in European government agencies and an unnamed managed service provider (MSP) in Africa. The vulnerability was used to deliver custom Boldmove malware for Linux and Windows.
Let me remind you that we also wrote that Azov Ransomware Wiper Operators Try to Set Up Ukraine and Well-Known Information Security Specialists, and also that New Chinese Malware Alchimist Attacks Windows and Linux.
Mandiant specialists said that the attackers exploited the CVE-2022-42475 vulnerability, which is a heap buffer overflow error in FortiOS sslvpnd and allows remote code execution on vulnerable devices without authentication.
Fortinet engineers fixed the bug on November 28, 2022, quietly releasing FortiOS 7.2.3, but then they did not publish any information that the vulnerability is 0-day and is already being exploited by hackers. It wasn’t until December that Fortinet finally released security bulletin FG-IR-22-398, in which it publicly warned customers that the vulnerability was being actively exploited and that everyone should install updates as soon as possible to fix the bug.
Mandiant analysts now report that the vulnerability has been used in attacks since October 2022. The attackers sought to gain a foothold on vulnerable devices using a special malware for FortiOS, which, among other things, interfered with logging processes by deleting certain entries or completely disabling logging in FortiOS.
In their report, the researchers describe the malware, which was given the name Boldmove, in great detail. The malware is a full-featured backdoor written in C that allows you to take control of the device, and the Linux version of the malware is specifically designed to work on FortiOS devices.
The commands supported by Boldmove allow to remotely manage files, execute commands, create interactive shells, and control the backdoor. The Windows and Linux versions are basically the same but use different libraries, and Mandiant believes the Windows version was compiled in 2021, almost a year before the Linux version.
The experts found several versions of Boldmove with different capabilities, but all of these samples were united by a single set of basic functions:
- implementation of system surveillance;
- receiving commands from the control server;
- creating a remote shell on the host;
- relaying traffic through a hacked device.
The most significant difference between the Linux and Windows versions is that the Linux version has features specifically targeted at FortiOS devices. For example, as noted above, this version allows you to change the Fortinet logs on a compromised system or completely disable the logging daemons (miglogd and syslogd), which makes it difficult to trace the attack.
In addition, this version of Boldmove is capable of sending requests to Fortinet internal services, which allows attackers to send network requests throughout the internal network and spread the infection to other devices.
Chinese hackers will continue to target vulnerable internet-enabled devices, such as firewalls and IPS/ISD devices, because they offer easy network access, the researchers said. Mandiant notes that the built-in security mechanisms on such devices do not work very well.