An alleged China-based hacking group exploited a critical flaw in Fortinet’s FortiOS SSL-VPN as a zero-day to drop the BOLDMOVE backdoor. The unidentified Chinese-speaking threat group targeted government entities in European countries and a Managed Service Provider (MSP) based in Africa.
According to researchers, the abuse occurred in October last year, a couple of months before Fortinet released an update to fix the vulnerability. The threat actors abused internet-facing devices for managed security purposes, such as firewalls, appliances, IPS and IDS.
The malicious actors utilised a heap-based buffer overflow bug in FortiOS SSL-VPN, which could become an unauthenticated, remote access execution via specifically crafted commands. The buffer overflow flaw is tracked as CVE-2022-42475.
Malware developers created the BOLDMOVE backdoor to execute an intrusion tactic to a specific target.
The threat actors’ attacks utilised the BOLDMOVE backdoor, a Linux malware variant developed by hackers to operate on Fortinet’s FortiGate firewalls.
Recent investigations revealed that the BOLDMOVE backdoor is coded in C and supports both Linux and Windows systems. The Linux variant also includes a tool to read data from a file format exclusive to Fortinet.
Researchers explained that Windows variants of the backdoor were compiled by them a couple of years ago. However, a spotted sample of the variant is still circulating in the wild today.
The threat operates a reconnaissance tactic to review the infected system and gather data that helps the attack identify the device uniquely. Subsequently, the backdoor will receive commands from a C2 server, enabling attackers to run file operations, spawn a remote shell, and relay traffic via the infected host.
Currently, an extended Linux sample of the backdoor could disable and manipulate logging features to bypass security detections.
The latest report highlighted how an attacker could exploit zero-day bugs to target critical entities such as MSPs to acquire initial access that could lead to a broader network. In addition, the attackers could include custom implants, which are common to Chinese hacking groups.
Organisations should employ relevant strategies to keep threats like this bug exploitation at bay. Experts suggest investing in a patch management plan and competent security for essential data.
