Threat Research

Analysis of FG-IR-22-369 | Fortinet Blog

Securonix

The article analyzes Fortinet FortiOS vulnerability FG-IR-22-369 (CVE-2022-41328) and its targeted exploitation of FortiGate and FortiManager devices, revealing multiple IoCs and several malware components used for persistence and control. The findings indicate an advanced, government-focused actor delivering scripts and malicious implants via FortiManager to achieve remote access, data exfiltration, and other commands. #Fgfm #Klogd #Smit #Localnet #FortiGate #FortiManager #CVE-2022-41328

Keypoints

  • Fortinet published FG-IR-22-369 (CVE-2022-41328) detailing IoCs tied to a targeted FortiOS exploit.
  • The incident appears driven by an advanced actor focused on government or government-related targets.
  • Compromise involved firmware image changes on FortiGate, including /sbin/init modification and a new /bin/fgfm file for persistence.
  • FortiManager was used to deliver and execute scripts on FortiGate devices, with evidence of a path traversal exploit and FortiManager script execution.
  • Malware components include fgfm, auth, klogd, smit, localnet, Urls.py, and views.py, each with distinct persistence and control roles.
  • ICMP-based reverse-connect behavior (fgfm) and various network/iptables actions demonstrate multi-layer C2 and command capabilities.
  • IoCs include a network IP, multiple file hashes, and log strings indicating upload/run-script activity.

MITRE Techniques

  • [T1543.003] Modify Boot or Logon Initialization Scripts – The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions. “The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions.”
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – “The exact iptables shell commands executed by the malware piece are shown below.”
  • [T1095] Non-Application Layer Protocol – The malware uses ICMP for C2 with a reverse-connect shell: “Fgfm scrutinizes ICMP packets. Whenever an ICMP packet contains the string “;7(Zu9YTsA7qQ#vm”, it knows it’s a ping from the attacker and must extract an IP address from the packet.”
  • [T1505.003] Web Shell – FortiManager’s Django components are modified to expose web endpoints (Urls.py) that allow remote code execution via cookies; “Urls.py & Views.py” describes exposing the endpoint and remote command capabilities.
  • [T1041] Exfiltration – The malware capabilities include “Data exfiltration” as part of its command set from the C2 server.
  • [T1105] Ingress Tool Transfer – Path traversal could enable uploading arbitrary files to FortiGate via a TFTP server, enabling initial tool delivery: “path traversal exploit would allow arbitrary files to be uploaded to the FortiGate via a TFTP server at the path specified.”

Indicators of Compromise

  • [Network] 47.252.20.90 – observed in FortiGate/FortiManager communications related to the incident.
  • [File Hash] Auth – b6e92149efaf78e9ce7552297505b9d5, and 2 more hashes
  • [File Hash] Klogd – 53a69adac914808eced2bf8155a7512d, and 1 more hash
  • [File Hash] Smit – e3f342c212bb8a0a56f63490bf00ca0c, and 1 more hash
  • [File Hash] Localnet – 88711ebc99e1390f1ce2f42a6de0654d, and 1 more hash
  • [File Hash] Urls.py – 64bdf7a631bc76b01b985f1d46b35ea6
  • [File Hash] Views.py – 3e43511c4f7f551290292394c4e21de7
  • [File Hash] Fgfm – e2d2884869f48f40b32fb27cc3bdefff

Read more: https://www.fortinet.com/blog/psirt-blogs/fg-ir-22-369-psirt-analysis