Fortinet analyzes the exploitation of known Fortinet N-Day vulnerabilities in FortiOS, detailing multi-cluster malware activity that uses living-off-the-land techniques and persistence mechanisms to target government and critical infrastructure. The report links certain activity to Volt Typhoon, with ties to Rekoobe (APT31) and other actors, and emphasizes immediate patching and sound cyber hygiene. #VoltTyphoon #Rekoobe #APT31 #UNC757
Keypoints
- The analysis centers on exploitation of resolved N-Day FortiOS vulnerabilities (e.g., CVE-2022-42475, CVE-2023-27997) where patches exist but are not yet applied.
- All four clusters consistently use ld.so.preload to load malicious shared objects for persistence and execution.
- Cluster malware drops multiple components (e.g., tftpd, libaprhelper.so, libunwind.1.so, httpdng, ketg) and uses process injection and file timestomping for stealth.
- Persistence often hinges on masquerading and manipulation of FortiOS binaries (e.g., /bin/smit symlink tricks, /bin/sh/ld.so.preload modifications).
- Remote access capabilities appear via ptyagent and related tools to provide a remote shell or command execution.
- Attribution hints point to Volt Typhoon (G1017) with possible links to APT31 (Rekoobe) and other groups; some instances suggest UNC757 in CISA context.
- The report stresses robust patch management, minimized attack surface, and ongoing Fortinet advisories as key defenses.
MITRE Techniques
- [T1574.001] Hijack Execution Flow – LD_PRELOAD-based persistence and execution: “ld.so.preload contained the string /data2/libcrashpad.so” and similar preload indicators in other clusters. Quote: [‘/data/etc/ld.so.preload contained the string /data2/libcrashpad.so’]
- [T1070.006] Timestomp – Anti-forensics by modifying file timestamps: “Perform timestomping on files to evade detection and as an anti-forensics technique”
- [T1055] Process Injection – Injecting into legitimate FortiOS processes via shared libraries: “Libaprhelper.so hooks the system calls accept and accept4 in the process’ Procedure Linkage Table… drops /lib/libaprhelper.so and injects it into the sslvpnd process.” Quote: [‘/lib/libaprhelper.so hooks the system calls accept and accept4… and injects it into the sslvpnd process.’]
- [T1036] Masquerading – Hiding activity by using legitimate-looking names and links: “On a clean FortiOS system, /bin/smit is a symbolic link to /bin/init… malicious smit binary retains the normal FortiOS function to hide its presence by forking a child process”
- [T1059.004] Unix Shell – Remote shell capabilities via ptyagent and shell execution: “Ptyagent may serve as a remote shell. It can create and listen to a network socket. It will also execute /bin/bash or /bin/sh”
Indicators of Compromise
- [File Path] – lamb_to_the_slaughter_story.pdf, ld.preeload, data2/flatkc_info, data2/new_alert_info, /bin/httpsclid, /bin/httpsng, /data2/fortlinkd, /data2/liblink.so.1, /tmp/ptyagent, /bin/smit
- [File Hash] – MD5: a9fcd43714f33da1711dfb651fae5b17, MD5: 210fcaa8bf95c3c861ee49cca59a7a3d
- [IP Address] – 146.185.214.63 (connected server in Cluster 4 investigation context)