Threat Research

Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)

Securonix

Mandiant tracks a suspected China-nexus operation that exploited Fortinet FortiOS SSL-VPN CVE-2022-42475 as a zero-day, deploying a backdoor named BOLDMOVE on Windows and Linux and targeting internet-facing devices. The campaign highlights how such devices enable access, lateral movement, and C2 in high-value networks, underscoring patching and visibility gaps for externally facing infrastructure. #BOLDMOVE #CVE-2022-42475 #FortiOS #Fortinet #FortiGate #Mandiant #ChinaNexus

Keypoints

  • Mandiant identifies a new malware family, BOLDMOVE, tied to a China-nexus operation exploiting CVE-2022-42475 in FortiOS SSL-VPN.
  • Exploitation dates back to October 2022 with targets including a European government entity and an African managed service provider.
  • BOLDMOVE has Windows and Linux variants; the Linux version is designed to run on FortiGate Firewalls and an extended MD5 version exists (MD5: 3191cb2e06e9a30792309813793f78b6).
  • The malware conducts system surveys, communicates with a hard-coded C2 IP, and can execute commands, spawn shells, and relay traffic for C2.
    • Past campaigns against networking devices (Pulse Secure, SonicWall) illustrate a long-standing pattern of exploiting internet-facing devices for espionage.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – FortiOS SSL-VPN CVE-2022-42475 exploited as a zero-day; ‘exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day.’
  • [T1071.001] Web Protocols – C2 communication over SSL/TLS; ‘SSL encrypted communication to the C2 server.’
  • [T1082] System Information Discovery – system survey to collect information that identifies the infected machine to the C2; ‘performs a system survey to collect information that identifies the infected machine to the C2.’
  • [T1059] Command and Scripting Interpreter – executes shell commands on the infected host; ‘Executes a shell command and sends back the output.’
  • [T1573] Protocol Tunneling – tunnels commands and data to/from the C2; ‘tunneling commands in and data out of a network.’
  • [T1021] Remote Services – enables lateral movement within the network via the compromised device; ‘enable lateral movement further into a network and enable command and control (C2) by tunneling commands in and data out of a network.’

Indicators of Compromise

  • [IP] 139.180.128.142:443 – hard-coded C2 IP address used by BOLDMOVE Linux variant
  • [MD5] 3191cb2e06e9a30792309813793f78b6 – MD5 hash for the extended BOLDMOVE version
  • [String] gbk, utf-8 – encoding indicators found in C2 survey buffers (Windows/Linux variants)
  • [String] Cora/c – hard-coded sample/campaign identifier mentioned in research

Read more: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint