Fortinet researchers reported how threat actors exploited the recently patched FortiOS SSL-VPN vulnerability (CVE-2022-42475) in attacks against government organizations and government-related targets. According to Resecurity, a cybersecurity company protecting Fortune 500 globally, the vulnerability was earlier marketed privately by several underground brokers in the Dark Web, and used for targeted network intrusions. Significant network activity has been identified originating from APAC and South East Asia specifically.
In December, the security vendor urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.
The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution
“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”
Fortinet addressed the issue with the release of FortiOS 7.2.3.
According to the experts, the threat actor behind the attacks is a sophisticated attacker due to the complexity of the exploit. The attackers exploited the flaw to deliver a variant of a generic Linux implant customized for FortiOS.
The malicious binary was located at /data/lib/libips.bak, attackers masquerade the malware as a component of Fortinet’s IPS Engine, located at /data/lib/libips.so.
“Libips.bak exports the functions ips_so_patch_urldb and ips_so_query_interface. These are the same exports in the clean IPS engine binary, libips.so. Both exported functions lead to the same malicious code. If libps.bak is named libips.so in the /data/lib directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions.” reads the report published by Fortinet. “The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised.”
Post-incident meta data investigation allowed the experts to uncover an additional IoC, the IP address 185[.]174[.]136[.]20. A folder on the server was containing binaries built specifically to target FortiGate hardware versions.
Then the researchers created a set of Yara rules to hunt for similar file samples and identified the /var/w samples. The execution of these files was observed in the PCAPs but not obtained directly from the file system.
The analysis of the /var/w files samples revealed that threat actors use advanced capabilities to manipulate FortiOS logging, such as:
A Windows sample analyzed by the experts were compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.
“The self-signed certificates created by the attackers were all created between 3 and 8 AM UTC. However, it is difficult to draw any conclusions from this given hackers do not nessesarily operate during office hours and will often operate during victim office hours to help obfuscate their activity with general network traffic.” concludes the report.
(SecurityAffairs – hacking, Fortinet)