Researchers who recently disclosed and patched the zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a new backdoor, specifically created in order to run on Fortinet’s FortiGate firewalls.
Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa.
According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government.
It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing.
BoldMove Backdoor
The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls.
The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests.
Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands.
Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added.
The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format.
Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection.
Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021.
"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted.
Schooled in FortiOS
Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine.
According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet.
Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.