Unknown attackers used zero-day exploits to abuse a new FortiOS bug patched this month in attacks targeting the government and large organizations that have led to operating system and file corruption and data loss.
Fortinet released security updates on March 7, 2023 to address this high severity security vulnerability (CVE-2022-41328) that allowed threat actors to execute unauthorized commands or code.
“An improper limitation of a path name to a restricted directory (‘path traversal’) vulnerability [CWE-22] on FortiOS can allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” the company says in the advisory.
The list of affected products includes FortiOS version 6.4.0 to 6.4.11, FortiOS version 7.0.0 to 7.0.9, FortiOS version 7.2.0 to 7.2.3, and all versions of FortiOS 6.0 and 6.2.
To patch the security flaw, administrators must update vulnerable products to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and later.
While the flaw notice did not mention that the bug was exploited in the wild before the patches were released, a Fortinet report published last week revealed that the CVE-2022-41328 vulnerabilities had been used to hack and remove various FortiGate firewall devices belonging to one. of your clients
Data-stealing malware
The incident was discovered after the compromised Fortigate devices shut down with the messages “System enters error mode due to FIPS error: Firmware integrity self-check failed” and failed to reboot.
Fortinet says this happens because its FIPS-enabled devices verify the integrity of system components and are configured to automatically shut down and halt boot to block a breach in the network if a compromise is detected.
These Fortigate firewalls were breached through a FortiManager device on the victim’s network, as they were all stopped simultaneously, hacked with the same tactics, and the FortiGate traversal exploit was launched at the same time as the scripts executed. through FortiManager.
Subsequent investigation showed that the attackers modified the device’s firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.
This malware allows data exfiltration, downloading and writing files, or opening remote shells when an ICMP packet containing the string “;7(Zu9YTsA7qQ#vm)” is received.
Zero-day used to attack government networks
Fortinet concluded that the attacks were highly targeted, with some evidence showing that threat actors favored government networks. The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.
“The attack is highly targeted, with some indication of preferred government or government-related targets,” the company said.
“The exploit requires a deep understanding of FortiOS and the underlying hardware. The custom implants show that the actor has advanced capabilities, including reverse engineering of various parts of FortiOS.”
Fortinet customers are advised to immediately upgrade to a patched version of FortiOS to block potential attack attempts (a list of IOCs is also available here).
In January, Fortinet disclosed a series of very similar incidents in which a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and entities. government related.
The FortiOS SSL-VPN zero-day attacks share many similarities with a Chinese hacking campaign that infected unpatched SonicWall Secure Mobile Access (SMA) devices with cyber-espionage malware that survives firmware updates.
