Unknown attackers used zero-day exploits to abuse a new FortiOS bug patched this month in attacks targeting government and large organizations that have led to OS and file corruption and data loss.
Fortinet released security updates on March 7, 2023, to address this high-severity security vulnerability (CVE-2022-41328) that allowed threat actors to execute unauthorized code or commands.
“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” the company says in the advisory.
The list of affected products includes FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2.
To patch the security flaw, admins have to upgrade vulnerable products to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and above.
While the flaw’s advisory didn’t mention that the bug was exploited in the wild before patches were released, a Fortinet report published last week revealed that CVE-2022-41328 exploits had been used to hack and take down multiple FortiGate firewall devices belonging to one of its customers.
Data theft malware
The incident was discovered after compromised Fortigate devices shut down with “System enters error-mode due to FIPS error: Firmware Integrity self-test failed” messages and failed to boot again.
Fortinet says this happens because its FIPS-enabled devices verify system components’ integrity, and they are configured to automatically shut down and stop booting to block a network breach if a compromise is detected.
These Fortigate firewalls were breached via a FortiManager device on the victim’s network, given that all of them halted simultaneously, were hacked using the same tactics, and the FortiGate path traversal exploit was launched at the same time as scripts executed via FortiManager.
The subsequent investigation showed that the attackers modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.
This malware allows for data exfiltration, downloading and writing files, or opening remote shells when receiving an ICMP packet containing the “;7(Zu9YTsA7qQ#vm” string.
Zero-day used to attack government networks
Fortinet concluded that the attacks were highly targeted, with some evidence showing the threat actors favored government networks. The attackers have also demonstrated “advanced capabilities,” including reverse-engineering parts of the FortiGate devices’ operating system.
“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said.
“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS.”
Fortinet customers are advised to immediately upgrade to a patched version of FortiOS to block potential attack attempts (a list of IOCs is also available here).
In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.
The FortiOS SSL-VPN zero-day attacks share many similarities with a Chinese hacking campaign that infected unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware that survives firmware upgrades.