Fortinet says unknown attackers exploited a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks against government organizations and government-related targets.
The security flaw (CVE-2022-42475) abused in these incidents is a heap-based buffer overflow weakness found in the FortiOS SSLVPNd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.
The network security company urged customers in mid-December to patch their appliances against ongoing attacks exploiting this vulnerability after quietly fixing the bug on November 28 in FortiOS 7.2.3 (and without releasing information that it was a zero-day).
Customers were privately alerted of this issue on December 7 via a TLP:Amber advisory. More information was released publicly on December 12, including a warning that the bug was being actively exploited in attacks.
“Fortinet is aware of an instance where this vulnerability was exploited in the wild,” the company said at the time, recommending admins to immediately check their systems against a list of indicators of compromise shared in this advisory.
This Wednesday, Fortinet published a follow-up report revealing that attackers were using CVE-2022-42475 exploits to compromise FortiOS SSL-VPN appliances to deploy malware deployed as a trojanized version of the IPS Engine.
Zero-day used to target government networks
The company said the threat actor’s attacks were highly targeted, with evidence found during analysis showing a focus on government networks.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet said.
“The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.”
The attackers were heavily focused on maintaining persistence and evading detection by using the vulnerability to install malware that patches FortiOS logging processes so that specific log entries could be removed, or to even kill the logging processes if necessary.
Additional payloads downloaded on compromised appliances revealed that the malware also broke the compromised devices’ Intrusion Prevention System (IPS) functionality designed to detect threats by constantly monitoring network traffic to block security violation attempts.
“The malware patches the logging processes of FortiOS to manipulate logs to evade detection,” Fortinet said.
“The malware can manipulate log files. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.”
Fortinet warned that further malicious payloads were downloaded from a remote site during attacks but could not be retrieved for analysis.
The company concluded that the threat actor behind last month’s CVE-2022-42475 exploitation shows “advanced capabilities,” including the ability to reverse-engineer parts of the FortiOS operating system.
It also advised customers to immediately upgrade to a patched version of FortiOS to block attack attempts and reach out to Fortinet support if they find indicators of compromise linked to the December attacks.