An unknown threat actor abused a critical vulnerability in Fortinet’s FortiOS SSL-VPN to infect government and government-related organizations with advanced custom-made malware, the company said in an autopsy report on Wednesday.
Tracked as ??CVE-2022-42475, the vulnerability is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of a possible 10. A maker of network security software, Fortinet fixed the vulnerability in version 7.2.3 released on November 28 but failed to make any mention of the threat in the release notes it published at the time.
Mum’s the word
Fortinet didn’t disclose the vulnerability until December 12, when it warned that the vulnerability was under active exploit against at least one of its customers. The company urged customers to ensure they were running the patched version of the software and to search their networks for signs the vulnerability had been exploited on their networks. FortiOS SSL-VPNs are used mainly in border firewalls, which cordon off sensitive internal networks from the public Internet.
On Wednesday, Fortinet provided a more detailed account of the exploit activity and the threat actor behind it. The post, however, provided no explanation for the failure to disclose the vulnerability when it was fixed in November. A company spokesperson declined to answer questions sent by email about the failure or what the company’s policy is for disclosure of vulnerabilities.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet officials wrote in Wednesday’s update. They continued:
- The exploit requires a deep understanding of FortiOS and the underlying hardware.
- The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.
- The actor is highly targeted, with some hints of preferred governmental or government-related targets.
- The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries.
- The self-signed certificates created by the attackers were all created between 3 and 8 am UTC. However, it is difficult to draw any conclusions from this given hackers do not necessarily operate during office hours and will often operate during victim office hours to help obfuscate their activity with general network traffic.
An analysis Fortinet performed on one of the infected servers showed that the threat actor used the vulnerability to install a variant of a known Linux-based implant that had been customized to run on top of the FortiOS. To remain undetected, the post-exploit malware disabled certain logging events once it was installed. The implant was installed in /data/lib/libips.bak path. The file may be masquerading as part of Fortinet’s IPS Engine, located at /data/lib/libips.so. The file /data/lib/libips.so was also present but had a file size of zero.
After emulating the implant’s execution, Fortinet researchers discovered a unique string of bytes in its communication with command-and-control servers that can be used for a signature in intrusion-prevention systems. The buffer “\x00\x0C\x08http/1.1\x02h2\x00\x00\x00\x14\x00\x12\x00\x00\x0Fwww.example.com” (unescaped) will appear inside the “Client Hello” packet.
Other signs a server has been targeted include connections to a variety of IP addresses, including 103[.]131[.]189[.]143, and the following TCP sessions:
- Connections to the FortiGate on port 443
- Get request for /remote/login/lang=en
- Post request to remote/error
- Get request to payloads
- Connection to execute command on the FortiGate
- Interactive shell session.
The autopsy includes a variety of other indicators of compromise. Organizations that use the FortiOS SSL-VPN should read it carefully and inspect their networks for any signs they’ve been targeted or infected.
As noted earlier, the autopsy fails to explain why Fortinet didn’t disclose CVE-2022-42475 until after it was under active exploit. The failure is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process.
In lieu of answering questions about the lack of disclosure, Fortinet officials provided the following statement:
We are committed to the security of our customers. In December 2022, Fortinet distributed a PSIRT advisory (FG-IR-22-398) that detailed mitigation guidance and recommended next steps regarding CVE-2022-42475. We notified customers via the PSIRT Advisory process and advised them to follow the guidance provided and, as part of our ongoing commitment to the security of our customers, continue to monitor the situation. Today, we shared additional extended research regarding CVE-2022-42475. For more information, please visit the blog.
The company said additional malicious payloads used in the attacks couldn’t be retrieved.