A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.
The attacks entailed the use of a sophisticated backdoor dubbed BOLDMOVE, a Linux variant of which is specifically designed to run on Fortinet’s FortiGate firewalls.
Fortinet is an international provider of network security solutions that protect organizations from cyber threats. Lately, Fortinet’s products are quite popular among cybercriminals worldwide due to security vulnerabilities.
BOLDMOVE backdoor- How the Attack happens ?
Google-owned Mandiant discovered the malware in December 2022 which it dubbed BOLDMOVE. Further probe revealed that the threat actor exploited the vulnerability tracked as CVE-2022-42475.
Researchers were sure about the involvement of a China-based threat actor because the exploit activity showcased the Chinese pattern of exploiting internet-exposed devices, mainly those used for managed security purposes like IDS appliances and firewalls.
The backdoor is written in C and has two versions, one for Windows and the other a Linux version, which the adversary has probably customized for FortiOS. When the Linux version is executed, it tries to connect to a hardcoded C2 server.
If the attack is successful, BOLDMOVE collects information about the system it landed on and conveys it to the C2 server. Then the instructions are relayed to the malware, after which the adversary gains complete remote control of the impacted FortiOS device.
- Basic BOLDMOVE
- MD5: 12e28c14bb7f7b9513a02e5857592ad7
- SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
- Extended BOLDMOVE
- MD5: 3191cb2e06e9a30792309813793f78b6
- SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
- Windows version of BOLDMOVE
- MD5: 54bbea35b095ddfe9740df97b693627b
- SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4