A recently discovered cyberattack, believed to be carried out by a China-linked threat actor, targeted a European government and an African managed service provider. The attackers exploited a vulnerability in Fortinet’s FortiOS SSL-VPN that had recently been patched, with evidence suggesting the exploitation took place as early as October 2022, a couple of months before a fix was released. According to Google’s Mandiant, this incident is part of China’s pattern of targeting internet-facing devices, particularly those used for managed security. The attackers used a sophisticated backdoor called BOLDMOVE, which is a Linux version designed to operate on Fortinet’s FortiGate firewalls.
The recent cyberattack involved exploiting a heap-based buffer overflow vulnerability (CVE-2022-42475) in Fortinet’s FortiOS SSL-VPN, which could lead to unauthenticated remote code execution via crafted requests. The unknown hackers took advantage of the vulnerability to target large organizations and governments. Recent findings from Mandiant suggest that the threat actor used the zero-day exploit to carry out espionage operations on the targeted networks. BOLDMOVE, the sophisticated backdoor used in the attack, shows an in-depth understanding of systems, services, logging and proprietary file formats, according to Mandiant. The malware, written in C, comes in Windows and Linux variants and can receive commands from a command-and-control server to perform file operations, spawn a remote shell and relay traffic. The Linux variant of the malware has extra features to disable and manipulate logging features to avoid detection. The exploitation of zero-day vulnerabilities in networking devices and the installation of custom implants is a consistent pattern seen in previous Chinese cyberattacks.