Researchers analyzing data associated with a recently disclosed zero-day vulnerability in Fortinet's FortiOS SSL-VPN technology have identified a sophisticated new backdoor specifically designed to run on Fortinet's FortiGate firewalls.
The malware appears to be the work of a China-based threat actor engaged in cyber-espionage operations targeting government organizations and those working with these organizations. It is the latest example of adversaries from the country targeting firewalls, IPS, IDS, and other Internet-facing technologies that enterprises use for securing their networks, Mandiant said in a report this week.
Researchers from the company came across the malware in a public repository in December and were able to tie it to the Fortinet zero-day bug (CVE-2022-42475) based on information that Fortinet released in its initial vulnerability disclosure. The vulnerability allows an unauthenticated attacker to execute arbitrary code on affected systems and is present in multiple versions of Fortinet's FortiOS and FortiProxy technologies. When Fortinet disclosed the vulnerability, the company said it was aware of at least one incident where an attacker had exploited the flaw in the wild.
Mandiant said the malware it discovered in December — and is tracking as "BoldMove" — is associated with the exploitation of CVE-2022-42475. Available telemetry suggests that exploit activity associated with the malware was occurring as early as October 2022. Targets have included a government entity in Europe and a managed services provider in Africa.
The BoldMove backdoor, written in C, comes in two flavors: a Windows version and a Linux version that the threat actor appears to have customized for FortiOS, Mandiant said. When executed, the Linux version of the malware first attempts to connect to a hardcoded command-and-control (C2) server. If successful, BoldMove collects information about the system on which it has landed and relays it to the C2. The C2 server then relays instructions to the malware that ends with the threat actor gaining full remote control of the affected FortiOS device.
Ben Read, director of cyber-espionage analysis at Mandiant, says some of the core functions of the malware, such as its ability to download additional files or open a reverse shell, are fairly typical of this type of malware. But the customized Linux version of BoldMove also includes capabilities to manipulate specific features of FortOS.
"The implementation of these features shows an in-depth knowledge of the functioning of Fortinet devices," Read says. "Also notable is that some of the Linux variants features appear to have been rewritten to run on lower-powered devices."
The adversary appears to have compiled the Windows version of BoldMove sometime in 2021, or well before the Linux version. Mandiant so far has not detected any exploit activity in the wild associated with that version. "The Windows sample we have is 32-bit, so [it] should run on most modern versions of Windows but could be compiled to run on 64-bit machines," Read says. It would not run on a Fortinet device, however.
The new cyber-espionage campaign and the BoldMove malware that the attackers are using in the campaign continue a pattern among China-based threat actors — and advanced persistent threats from other nations as well — to target firewalls, IPS, IDS, and other network security devices.
Developing exploits for these technologies can be challenging and require substantial resources and technical chops.
With BoldMove, "the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant said. But the payoff for attackers can be high because a successful exploit gives them wide access to a network, without requiring any user interaction, the security vendor added.
While Fortinet's products have been an especially popular target in this regard, threat actors have targeted products from other vendors as well, including Pulse Secure VPNs, Citrix ADCs, and SonicWall. The attacks have prompted multiple advisories from the FBI, the US Cybersecurity and Information Security Agency (CISA), and others.
Schooled in FortiOS
Meanwhile, Fortinet itself last week described the malware associated with CVE-2022-42475 as a variant of a "generic" Linux backdoor that the threat actor has customized for FortiOS. The company said its analysis showed the malicious file may have been masquerading as a component of Fortinet's IPS engine on compromised systems.
Among the malware's more advanced features was one for manipulating FortiOS logging to avoid detection, Fortinet said. The malware can look for event logs in FortiOS, to decompress them in memory and search for and delete a specific string that enables it to reconstruct the logs. The malware can also shut down logging processes entirely.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said.
According to Fortinet, developing the exploit would have required the threat actor to have a "deep understanding" of FortiOS and the underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.