Security experts at Mandiant have uncovered an advanced malware that has been running wild in the open and is proficient at targeting Fortinet’s FortiGate firewalls.
The malware, dubbed “BoldMove” by security researchers,“ is believed to hail from a Chinese cyber espionage group. According to reports, the malware is familiar with Fortinet’s FortiOS SSL-VPN technology and can exploit a recent zero-day vulnerability (CVE-2022-42475).
Sources suggest that the BoldMove malware started its activities in October 2022 and was first detected in December 2022. At the time of writing, two victims of the malware were reported — a government entity in Europe and a managed services provider in Africa.
BoldMove is reportedly written in C language and offers services in two variants — a Windows version and a Linux version.
FortiOS is a network security operating system used by Fortinet’s FortiGate firewall appliances. It provides a wide range of security and networking features, including a firewall, VPN, antivirus, intrusion prevention, web filtering, and more.
FortiOS can be managed through a web-based interface or the FortiOS Command Line Interface (CLI). FortiOS supports various platforms, including physical, virtual, and cloud-based deployment options.
How BoldMove operates?
According to the research report, the malware attempts to connect with the victim’s device to collect information about the system. The latter part of the operation requires an infiltration method and, finally, sending the connection to a “hardcoded” command-and-control server.
Once these two procedures are completed, the malware allows the threat actor to gain full access to the targeted FortiOS device.
The BoldMove malware is known for its ability to download additional files or open a reverse shell and for its unique features that target specific aspects of FortiOS.
This, according to experts, showcases a deep understanding of the inner workings of Fortinet devices.
Furthermore, it is noteworthy that the Linux variant of the malware has been optimized to work efficiently on devices with lower processing power.
FortiOS SSL-VPN (CVE-2022-42475) vulnerability explained
In December, a group of researchers discovered a spyware in a public repository. After additional analysis, they identified that it was linked to a zero-day vulnerability (CVE-2022-42475) in Fortinet’s FortiOS SSL-VPN technology.
According to Fortinet, this vulnerability allows an unauthorized person to run arbitrary code on vulnerable computers and is available in different versions of Fortinet’s FortiOS and FortiProxy technologies.
Fortinet also reported that the vulnerability had been exploited at least once in the wild prior to the current exploit.
BoldMove, the malware in question, not only consists of an exploit but also displays an intricate understanding of the targeted network’s systems, services, logging, and proprietary formats. According to the report, this makes the malware particularly dangerous as it enables attackers to gain broad access to the network without the need for user interaction.
Furthermore, it is worth mentioning that Fortinet products have been a popular target for these types of attacks. However, threat actors have also targeted products from other vendors, making the process of finding out the culprits difficult and time-consuming since most threat actors use different approaches to target victims in similar or distinguished industries.