Threat Research

Analysis of FG-IR-22-398 – FortiOS – heap-based buffer overflow in SSLVPNd | Fortinet Blog

Securonix

Fortinet’s analysis details a targeted FortiOS SSL-VPN heap overflow (CVE-2022-42475) used to deploy a Linux implant masquerading as an IPS component. The write-up covers malware behavior, IoCs, C2 infrastructure, affected FortiGate models/versions, and recommended mitigations. #CVE202242475 #FortiOS

Keypoints

  • New IoCs linked to FG-IR-22-398 / CVE-2022-42475 indicate an advanced, highly targeted actor.
  • The malware is a Linux FortiOS implant masquerading as a Fortinet IPS component (libips.bak) that can become libips.so in the FortiOS filesystem.
  • The sample deploys by patching FortiOS logging and performing process injection to evade detection and maintain persistence.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The FortiOS SSL-VPN heap overflow vulnerability is exploited to deliver an implant. – “The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
  • [T1055] Process Injection – The malware opens a handle to FortiOS processes and injects data into them. – “The malware opens a handle to the processes and injects data into them.”
  • [T1070] Indicator Removal on Host – The malware patches FortiOS logging to manipulate logs to evade detection. – “The malware patches the logging processes of FortiOS to manipulate logs to evade detection.”
  • [T1059.004] Unix Shell – An interactive shell session is observed during C2 activity. – “TCP stream 1894 contained the connection made to … listening on port 30443, which was an interactive shell session.”
  • [T1071.001] Web Protocols – TLS-based C2 channel with distinctive TLS/Client Hello behavior. – “This string detects the TLS traffic by the TLS request header.” and “The buffer … should appear inside the ‘Client Hello’ packet.”

Indicators of Compromise

  • [File] context – libips.bak, libgif.so, and 2 more items
  • [IP] context – 103.131.189.143, 188.34.130.40
  • [MD5 Hash] context – f68c3f72270800ea675889e82bb02fb8, e3f640d8785c0c864739529889b1863a
  • [JA3 Fingerprint] context – bf2b95ac267823f6588b2436bc537b26
  • [Config File] context – wxd.conf

Read more: https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint