Category Archives: Malware

New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict

Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

Malicious ZIP archive (Source Kaspersky)

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

New ShellBot bot targets poorly managed Linux SSH Servers

New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn.

AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers.

The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications.

The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.

“The ShellBot malware strains that are going to be covered in this post are believed to have been installed after threat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce malware on target systems.” reads the ASEC’s report. “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”

Below is a list of the account credentials used by ShellBot operators to compromise the target servers:


The researchers categorized the ShellBot into three different groups since threat actors can create their own versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.

LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 supports multiple DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.

The researchers recommend using strong passwords for admin accounts and changing them periodically to protect the Linux server from brute force attacks and dictionary attacks. They also recommend keeping the servers up to date and using security programs.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShellBot)

Threat actors abuse Adobe Acrobat Sign to distribute RedLine info-stealer

Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer.

Avast researchers reported that threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer.

Adobe Acrobat Sign allows registered users to sign documents online and send a document signature request to anyone. This latter process consists of generating an email that is sent to the intended recipients. The message includes a link to the document that that will be hosted on Adobe itself. 

The experts pointed out that the users can also add a text to the email, this option can be abused by the attackers.

Le e-mail generate dai servizi hanno come indirizzo del mittente ‘’, che ovviamente è un indirizzo e-mail legittimo considerato affidabile da qualsiasi soluzione di difesa.

When the victim clicks on the “Review and sign” button, it takes them to a page hosted in “”, which is another legitimate source that belongs to Adobe. As I mentioned earlier, people using this service can upload a broad variety of file types to Adobe Acrobat Sign, which will be displayed in the email with the option to sign them. 

Avast researchers observed crooks including text with a link in a document that attempts to trick the victim into thinking that they’ll be through the content before signing it. Once clicked on the link, the victim is redirected to another site where they’re asked to enter a CAPTCHA that is hardcoded.

Upon providing the CAPTCHA, the victim will be asked to download a ZIP archive containing the Redline Trojan variant.

The experts also observed threat actors targeting the same recipient days later by adding another link to the email sent by Adobe. Upon clicking on that link, the recipient is redirected to a page that is hosted on, which offers electronic document signing too.

The archive used in this second attack includes another Redline Trojan variant and some non-malicious executables belonging to the Grand Theft Auto V game.

The attackers also employed a simple trick in an attempt to avoid detection, they artificially increased the size of the Redline Trojan to more than 400MB.

“One of the characteristics of the two variants of Redline that these cybercriminals used in these attacks is that they’ve artificially increased the size of the Trojan to more than 400MB. This is not noticeable by the victim during the download, as the file is compressed and most of that artificial size has just been filled with zeros.” reads the anaysis published by Avast. “The reason for this is unknown; it’s possible that the cybercriminals are using it in the hope of bypassing some antivirus engines that could behave differently with big files.”

The experts concludes that the abuse of Adobe Acrobat Sign to distribute malware is a new technique used by attackers in targeted attacks.

“Our team has yet to detect other attacks using this technique; nevertheless, we fear that it may become a popular choice for cybercriminals in the near future.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Emotet is back after a three-month hiatus

The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments.

The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as ContiProLockRyuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The operators remained inactive between July and November 2022. In November, Proofpoint researchers warned of the return of the Emotet malware after having observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

MalwareBytes researchers noticed that the new campaign was powered by the botnet Epoch 4.

“Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.” reads the post published by MalwareBytes. “One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.”

The OneNote file attachment poses as a fake notification stating that the document is protected. The recipient is instructed to double-click on the View button in the content of the mail causing the victims inadvertently double-click on an embedded script file instead.

Then the Windows scripting engine (wscript.exe) executes the following command:


to execute a heavily obfuscated script that retrieves the Emotet binary payload from a remote server.

The malicious DLL is then executed via regsvr32.exe to install the notorious malware on the target system.

Cofense researchers also reported that Emotet malicious activity resumed on March 7, 2023, the messages detected by the company contain attached .zip files that are not password protected.

The attached .zip files deliver weaponized Office documents that download and execute the Emotet .dll.

“It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.” states Cofense.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Play ransomware gang hit Dutch shipping firm Royal Dirkzwager

Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang.

The Play ransomware group hit the Dutch maritime logistics company Royal Dirkzwager.

Royal Dirkzwager is specialized in optimizing shipping processes and managing maritime and logistic information flows.

The ransomware group added the company to its Tor data leak site and announced the theft of stolen private and personal confidential data, employee IDs, passports, contracts and etc.

The gang initially leaked a 5 GB archive as proof of the hack and threatens to release the full dump if the company will not pay the ransom.

Company CEO Joan Blaas said that the ransomware attack did not impact the operations of the company. He confirmed that threat actors have stolen sensitive data from its infrastructure.

“It has had a huge impact on our employees. Over the last year, because of the company’s bankruptcy, we had to let go of people and not everyone could stay. We had to move offices and now this. It’s been a very difficult time,” Company CEO Joan Blaas told The Record.

The company notified the Dutch Data Protection Authority and confirmed it is in negotiations with the ransomware group.

The Play ransomware group has been active since July 2022, the list of victims includes the City of Oakland and the Cloud services provider Rackspace.

The shipping industry is a privileged target of cybercrime organizations. In January, about 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. 

DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.

In February 2022, a cyber attack hit Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations in the country, severely impacting its operations. According to the media, the attack also impacted the oil supplier Mabanaft GmbH. The two companies belong to the Marquard & Bahls group.

In November 2021, researchers from threat intelligence firm Intel 471 published an analysis of cybercrime underground trends online, warning that initial access brokers were offering credentials or other forms of access to shipping and logistics organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Royal Dirkzwager)

Kaspersky released a new decryptor for Conti-based ransomware

Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware.

Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware.

In March 2022, a Ukrainian security researcher has leaked the source code from the Conti ransomware operation to protest the gang’s position on the conflict.

After the leak of the source code, an unknown ransomware group started distributing a modified version of the Conti ransomware in attacks aimed at companies and state institutions.

In late February 2023, Kaspersky researchers uncovered a new portion of leaked data published on forums and noticed the presence of 258 private keys. The leak also included source code and some pre-compiled decryptors, which allowed the researchers to release new version of the public decryptor.

“The malware variant whose keys were leaked, had been discovered by Kaspersky specialists in December 2022. This strain was used in multiple attacks against companies and state institutions.” states Kaspersky.

“The leaked private keys are located in 257 folders (only one of these folders contains two keys). Some of them contain previously generated decryptors and several ordinary files: documents, photos, etc. Presumably the latter are test files – a couple of files that the victim sends to the attackers to make sure that the files can be decrypted.”

The researchers added all 258 keys to the latest build of Kaspersky’s utility RakhniDecryptor Users can download the decryptor from the Kaspersky’s “No Ransom” site.

 “For many consecutive years, ransomware has remained a major tool used by cybercrooks. However, because we have studied the TTPs of various ransomware gangs and found out that many of them operate in similar ways, preventing attacks becomes easier. The decryption tool against a new Conti-based modification is already available on our “No Ransom” webpage. However, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky.

Below is the list of recommendations provided by the experts to protect organizations from ransomware attacks:

  • Do not expose remote desktop services (such as RDP) to public networks unless absolutely necessary and always use strong passwords for them.
  • Promptly install available patches for commercial VPN solutions providing access for remote employees and acting as gateways in your network.
  • Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to the outgoing traffic to detect cybercriminals’ connections.
  • Back up data regularly. Make sure you can quickly access it in an emergency when needed. 
  • Use solutions like Kaspersky Endpoint Detection and Response Expert and Kaspersky Managed Detection and Response service which help to identify and stop the attack on early stages, before attackers reach their final goals.
  • Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors. The Kaspersky Threat Intelligence Portal is a single point of access for Kaspersky’s TI, providing cyberattack data and insights gathered by our team for 25 years. To help businesses enable effective defenses in these turbulent times, Kaspersky has announced access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats, at no charge. Request access to this offer here.

The Conti group has been active since 2019, the FBI estimated that between 2020 and 2022 the gang breached hundreds of organizations. The FBI estimated that as of January 2022, the gang obtained $150,000,000 in ransom payments from over 1,000 victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Conti)

US govt agencies released a joint alert on the Lockbit 3.0 ransomware

The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang.

The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.

“The Federal Bureau of Investigation (FBI), CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) has released a joint cybersecurity advisory (CSA), #StopRansomware: LockBit 3.0. This joint advisory details known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) that FBI investigations correlated with LockBit 3.0 ransomware as recently as March 2023.” reads the advisory published by US agencies. “LockBit 3.0 functions as an affiliate-based ransomware variant and is a continuation of LockBit 2.0 and LockBit.”

The Lockbit gang has been active since at least 2019 and today it is one of the most active ransomware groups offering a Ransomware-as-a-Service (RaaS) model.

The LockBit 3.0 ransomware (aka LockBit Black) was launched in June 2022 and is a continuation of previous versions of the ransomware, LockBit 2.0 (released in mid-2021), and LockBit.

The LockBit 3.0 ransomware is a modular malware that is more evasive than its previous versions, its shared similarities with Blackmatter and Blackcat ransomware.

“LockBit 3.0 is configured upon compilation with many different options that determine the behavior of the ransomware. Upon the actual execution of the ransomware within a victim environment, various arguments can be supplied to further modify the behavior of the ransomware. For example, LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode (see LockBit Command Line parameters under Indicators of Compromise).” reads the joint alert

“If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware.”

By protecting the code with encryption, the latest LockBit version can avoid the detection of signature-based anti-malware solutions.

The ransomware doesn’t infect machines whose language settings are included in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

Initial attack vectors used by affiliates deploying LockBit 3.0 ransomware include remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications.

Upon execution in the target network, the ransomware attempts to escalate privileges if they are not sufficient, terminate processes and services, delete logs, files in the recycle bin folder, and shadow copies residing on disk.

LockBit 3.0 attempts to perform lateral movement by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges.

Operators can also compile LockBit 3.0 for spreading via Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.

  • The RaaS’s affiliates use the following tools to exfiltrate data before encrypting it:
  • Stealbit, a custom exfiltration tool used previously with LockBit 2.0;
  • publicly available file-sharing services, such as MEGA.

The affiliates have been observed using various freeware and open-source tools furing their attacks.

“These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration. Use of PowerShell and Batch scripts
are observed across most intrusions, which focus on system discovery, reconnaissance, password/credential hunting, and privilege escalation. Artifacts of professional penetration-testing tools such as Metasploit and Cobalt Strike have also been observed.” continues the report.

The alert states that LockBit 3.0 is capable of bypassing User Account Control (UAC) to execute code with elevated privileges via elevated Component Object Model (COM) Interface. It also supports a Safe Mode feature to bypass endpoint antivirus and detection.

The alert also provides mitigations and security controls to prevent and reduce the impact of the threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RaaS)

Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation

Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw.

Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer).

The company was the victim of a large-scale campaign targeting GoAnywhere MFT devices worldwide by exploiting the zero-day vulnerability.

“We recently learned that a third-party software provider called FORTRA GoAnywhere MFT (Managed File Transfer) was the victim of an attack by the CLOP ransomware group that could have resulted in an unauthorized access to employee data in some countries.” reads the statement pblished by the company.

“Upon learning of this event, we took immediate action and initiated our own investigation, disconnected the third-party system, and engaged forensic IT experts to help us analyze the nature and scope of the attack. Employees who may be affected have been informed and we are providing support. We have also notified applicable data privacy, security and law enforcement authorities and we continue to cooperate with the relevant stakeholders.”

Hitachi Energy immediately launched an investigation into the incident and disconnected the compromised system. The company reported the data breach to law enforcement agencies and data protection watchdog.

The company pointed out that its network operations or the security of its customer data have not been compromised.

In early February, the popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers review all administrative users and monitor for unrecognized usernames, especially those created by “system.”

In February, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported.

Other organizations breached by exploiting the flaw in Fortra’s GoAnywhere MFT secure file transfer are the Hatch Bank, the Community Health Systems, and the data security firm Rubrik. At this time, the Clops ransomware group only added the bank and the data security firm to the list of victims.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Hitachi Energy)

HinataBot, a new Go-Based DDoS botnet in the threat landscape

A new Golang-based DDoS botnet, tracked as HinataBot, targets routers and servers by exploiting known vulnerabilities.

Akamai researchers spotted a new DDoS Golang-based botnet, dubbed HinataBot, which has been observed exploiting known flaws to compromise routers and servers.

The experts reported that the HinataBot bot was seen being distributed since the beginning of 2023 and its operators are actively updating it.

The name “Hinata” comes after a character from the popular anime series, Naruto.

Akamai’s SIRT recently discovered the new bot within HTTP and SSH honeypots, it stood out due to its large size and the lack of specific identification around its newer hashes.

The sample captured by the experts abuses old vulnerabilities and weak credentials, the researchers reported that it attempts to exploit flaws in the miniigd SOAP service on Realtek SDK devices (CVE-2014-8361), Huawei HG532 routers (CVE-2017-17215), and exposed Hadoop YARN servers (CVE N/A). 

HinataBot supports multiple methods of communication, including both dialing out and listening for incoming connections. The botnet can launch distributed denial-of-service (DDoS) flooding attacks that relies on protocols such as HTTP, UDP, TCP, and ICMP to send traffic. However, the latest version of HinataBot only supports HTTP and UDP attacks.

Akamai said that by reverse engineering the bot and imitating the command and control (C2) server, was able to test the offensive capabilities of the botnet by running two attack methods (HTTP and UDP) in a 10-second period.

“The http_flood generated 3.4 MB of packet capture data and pushed 20,430 HTTP requests. The request sizes ranged from 484 to 589 bytes per request, with sizes varying mostly due to randomization of User-Agent and Cookie header data.” reads the report published by Akamai. “The udp_flood generated 6,733 packets for a total of 421 MB of packet capture data over the wire. There isn’t much else that’s interesting about this attack: it is volumetric in nature and seems to do a decent job of pushing volume.”

Test results show that a botnet composed of just 1,000 nodes can carry out a UDP flood that would weigh in at around 336 Gbps per second. A botnet of 10,000 nodes (which is roughly 6.9% of the size of Mirai at its peak) can generate a UDP flood that would weigh in at more than 3.3 Tbps. The HTTP flood at 1,000 nodes would generate roughly 2.7 Gbps and more than 2 Mrps, while with 10,000 nodes, those numbers jump to 27 Gbps delivering 20.4 Mrps.

HinataBot is the last bot in order of time to join the ever-growing list of emerging Go-based bots after GoBruteforcer and KmsdBot.

“The HinataBot family relies on old vulnerabilities and brute forcing weak passwords for distribution. This is yet another example of why strong password and patching policies are more critical than ever.” concludes Akamai that also privided Indicators of Compromise and YARA rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, HinataBot)

China-linked APT likely linked to Fortinet zero-day attacks

An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328).

A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks aimed at government organizations.

A few days ago, Fortinet researchers warned of an advanced threat actor that is targeting governmental or government-related entities.

The unknown threat actor is exploiting a vulnerability in Fortinet FortiOS software, tracked as CVE-2022-41328, that may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The CVE-2022-41328 vulnerability (CVSS score: 6.5) is a path traversal issue in FortiOS can can result in arbitrary code execution.

“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.” reads the advisory published by Fortinet.

The vulnerability impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. The company addressed the vulnerability with the release of versions 6.4.12, 7.0.10, and 7.2.4 respectively.

Fortinet launched an investigation into the attacks after the FortiGate devices of one customer suddenly halted and failed to reboot. The devices halted displaying the following error message:

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

The failure of the integrity test blocks the reboot of the device to protect the integrity of the network.

Mandiant researchers linked a series of attacks that took place in mid-2022 to a China-linked threat actor tracked as UNC3886 by the security firm.

“a suspected China-nexus threat actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments.” reads the report published by Mandiant. “This involved the use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) and deployment of multiple custom malware families on Fortinet and VMware systems.”

The attackers exploited the CVE-2022-41328 zero-day to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access, then they maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.

Threat actors also bypassed the firewall rules active on FortiManager devices with a passive traffic redirection utility. The attackers also used a custom API endpoint created within the device to maintain persistence ùon FortiManager and FortiAnalyzer, then disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.

Once compromised the Fortinet devices, the threat actors established backdoor access using two previously undocumented malware, a Python-based Thincrust backdoor disguised as legitimate API calls and the ICMP port-knocking Castletap passive backdoor.

Once obtained access to the Fortinet devices, the attackers targeted ESXi servers to deploy malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors. This allowed the attackers to maintain persistent access to the hypervisors and execute commands on guest virtual machines.

When FortiManager was not exposed to the Internet, the threat actors deployed a traffic redirector (Tableflip) and a passive backdoor (Reptile) to circumvent the new ACLs.

“many network appliances lack solutions to detect runtime modifications made to the underlying operating system and require direct involvement of the manufacturer to collect forensic images. Cross organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.” concludes Mandiant.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)