Threat actors target govt networks exploiting Fortinet SSL-VPN CVE-2022-42475 bug

Pierluigi Paganini January 13, 2023

Recently patched Fortinet FortiOS SSL-VPN zero-day exploited in attacks against government organizations and government-related targets.

Fortinet researchers reported how threat actors exploited the recently patched FortiOS SSL-VPN vulnerability (CVE-2022-42475) in attacks against government organizations and government-related targets. According to Resecurity, a cybersecurity company protecting Fortune 500 globally, the vulnerability was earlier marketed privately by several underground brokers in the Dark Web, and used for targeted network intrusions. Significant network activity has been identified originating from APAC and South East Asia specifically.

In December, the security vendor urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

Fortinet addressed the issue with the release of FortiOS 7.2.3.

According to the experts, the threat actor behind the attacks is a sophisticated attacker due to the complexity of the exploit. The attackers exploited the flaw to deliver a variant of a generic Linux implant customized for FortiOS.

The malicious binary was located at /data/lib/libips.bak, attackers masquerade the malware as a component of Fortinet’s IPS Engine, located at /data/lib/libips.so.

“Libips.bak exports the functions ips_so_patch_urldb and ips_so_query_interface. These are the same exports in the clean IPS engine binary, libips.so. Both exported functions lead to the same malicious code. If libps.bak is named libips.so in the /data/lib directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions.” reads the report published by Fortinet. “The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised.”

Post-incident meta data investigation allowed the experts to uncover an additional IoC, the IP address 185[.]174[.]136[.]20. A folder on the server was containing binaries built specifically to target FortiGate hardware versions.

Then the researchers created a set of Yara rules to hunt for similar file samples and identified the /var/w samples. The execution of these files was observed in the PCAPs but not obtained directly from the file system.

The analysis of the /var/w files samples revealed that threat actors use advanced capabilities to manipulate FortiOS logging, such as:

  • The malware patches the logging processesof FortiOS to manipulate logs to evade detection. – /bin/miglogd & /bin/syslogd
  • It includes offsets and opcodes for 27 FortiGate models and version pairs. The malware opens a handle to the processes and injects data into them.
    • Versions range from 6.0.5 to 7.2.1
    • Models are FG100F, FG101F, FG200D, FG200E, FG201F, FG240D, FG3H0E, FG5H0E, FG6H1E, FG800D, FGT5HD, FGT60F, FGT80F.
  • The malware can manipulate log files. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.
  • The malware can also kill the logging processes.

A Windows sample analyzed by the experts were compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.

“The self-signed certificates created by the attackers were all created between 3 and 8 AM UTC. However, it is difficult to draw any conclusions from this given hackers do not nessesarily operate during office hours and will often operate during victim office hours to help obfuscate their activity with general network traffic.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment