Suspected Chinese hackers exploited the recently disclosed FortiOS SSL-VPN vulnerability as Day Zero in December, targeting a European government and an African MSP with a new malware intended for Linux and Windows “BOLDMOVE”.
The vulnerability was tracked as CVE-2022-42475 and was quietly fixed by Fortinet in November. Fortinet publicly disclosed the vulnerability in December, Urge customers To patch their devices as threat actors were actively exploiting the flaw.
The flaw allows unauthenticated attackers to remotely disable target devices or gain remote code execution.
However, it wasn’t until this month Fortinet shared more details on how hackers exploited it, explaining that threat actors have targeted government entities with custom malware specifically designed to run on FortiOS devices.
The attackers focused on maintaining stability on exploited devices by using malware intended to patch FortiOS logging processes so that specific registry entries could be removed or the registry process completely disabled.
Yesterday, Mandiant published a report on a suspected Chinese espionage campaign exploiting a FortiOS vulnerability since October 2022 using a new malware “BOLDMOVE” designed expressly for attacks on FortiOS devices.
The new BOLDMOVE malware
BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain a higher level of control over a device, with a Linux version created specifically to run on FortiOS devices.
Mandiant has identified several versions of BOLDMOVE with varying capabilities, but the basic set of features noted across all samples include:
- Perform a system scan.
- Receive commands from C2 (command and control) server.
- Distal shell hatching on host.
- Transmission of traffic through the hacked device.
Commands supported by BOLDMOVE allow threat actors to remotely manage files, execute commands, create an interactive shell, and control a backdoor.
The Windows and Linux variants are very similar but use different libraries, and Mandiant believes that the Windows version was compiled in 2021, about a year earlier than the Linux version.
However, the most significant difference between the Linux and Windows versions is that one of the Linux variants contains functionality that specifically targets FortiOS hardware.
For example, the Linux version BOLDMOVE allows attackers to modify Fortinet logs on the compromised system or disable the logging daemon (miglogd and syslogd) altogether, making it harder for defenders to track the intrusion.
Moreover, this version of BOLDMOVE can send requests to Fortinet’s internal services, allowing attackers to send network requests to the entire internal network and propagate laterally to other machines.
The Chinese cyberespionage group will continue to target devices that encounter unpatched Internet such as firewalls and IPS/ISD devices because they provide easy access to the network without the need for interaction.
Unfortunately, it’s not easy for defenders to inspect the processes running in these machines, and Mandiant says the native security mechanisms don’t work well enough to protect them.
“There is no mechanism to detect malicious processes running on these devices, nor remote tracking to proactively scan for malicious images deployed on them after exploiting a vulnerability,” Mandiant explains in the report.
“This makes network hardware a blind spot for security practitioners and allows attackers to hide in it and maintain invisibility for long periods, while also using it to gain a foothold in a target network.”
The emergence of a dedicated backdoor to one of these devices demonstrates the threat actors’ deep understanding of how perimeter network devices operate and the initial access opportunity they present.