iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have uncovered threat actors taking advantage of a reported zero-day vulnerability in Fortinet’s FortiOS.
The attackers are believed to be Chinese or affiliated with the People’s Republic of China.
According to Mandiant’s experts, the exploit has been taking place since at least October 2022. The vulnerability — CVE-2022-42475 — was first reported by Fortinet on 12 December and remains unpatched.
The unidentified group is using a new piece of malware, which the researchers have dubbed BOLDMOVE. It comes in both Windows and Linux varieties and has been written specifically for FortiGate firewalls.
“We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups,” said Mandiant in a blog post.
Attacking devices like firewalls has a number of advantages. For one, they often have limited admin interfaces — they’re effectively a black box meant to run in the background and monitor the traffic that moves through it. And if you can compromise one, you can tunnel into a network and then execute commands remotely for command and control infrastructure.
Mandiant believes the threat actors to be related to China based on the time zone the malware was compiled in, possible Chinese characters in the malware itself, and the nature of the target.
“The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices,” Mandiant’s researchers said.
“This campaign and infection vector also should be strong reminders of the importance of keeping up with updates and patches, of externally facing devices or those exposed to the internet.”
The FortiOS vulnerability in question is a heap-based buffer overflow vulnerability, which is known to allow threat actors to execute arbitrary code and commands.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
