A security researcher recently uncovered a critical vulnerability that threat actors abuse to target government systems. Tracked as CVE-2022-42475, the identified flaw has a CVSS score of 9.8 and is abused for taking over a targeted infrastructure.
According to reports, numerous FortiOS versions were affected by the vulnerability’s abuse. Hackers have also found the flaw to be easily exploited, a reason for its widespread interest among cybercriminals.
Three days after researchers found the flaw in the wild, Fortinet immediately released a patch to ensure customers’ safety against hackers. Based on the vulnerability’s analysis, it was mostly exploited by advanced ransomware groups to infiltrate government systems.
The security agency CISA also published an advisory to inform users and administrators about the flaw, urging them to apply Fortinet’s patch releases in their machines and validate their systems against the list of indicators of compromise (IOCs) provided.
Fortinet said government systems are highly targeted by threat actors abusing the flaw.
The security company shared that they have acquired a sample of the malware used by threat actors in attack campaigns. Their analysis showed that the malware was a generic Linux implant variant especially customised for machines running FortiOS.
Fortinet also added that it seems like the campaigns are launched by advanced threat groups since using custom implants requires higher skills, professional attack capabilities, and a deep understanding of FortiOS.
It is also worth noting that the acquired malware sample showed signs of being launched on computers in the UTC+8 timezone, indicating that it targets countries such as Australia, China, Singapore, Russia, and other Eastern Asian territories.
In a separate analysis, a researcher described the vulnerability as a buffer overflow, wherein the hackers overload a buffer with excess data that will cause a crash, creating attack entry points. The flaw could also lead to remote code execution in FortiOS versions used for SSL-VPNs and firewalls.
Organisations must patch their systems immediately, especially government systems in all targeted countries, before threat actors find a way to attack them.
