Fortinet recently patched a critical unauthenticated remote code execution (RCE) vulnerability in FortiOS, tracked as CVE-2022-41328. The bug was described as a medium-severity path traversal issue leading to command execution, and was addressed last week. However, Fortinet failed to mention that this was actually a zero-day vulnerability.
Further investigation revealed that a sophisticated threat actor had been exploiting the vulnerability in highly targeted attacks against governmental and government-related entities. The attackers likely compromised the affected FortiGate devices via the FortiManager management software. Analysis of the infected firmware images led to the discovery of malicious tools that allowed the threat actor to exfiltrate data, download additional payloads, and launch a remote shell.
The malicious tools also enabled the attackers to establish a connection to the attackers’ command-and-control (C&C) server to receive commands and provide them with shell command execution with root privileges. The attackers also modified FortiManager’s Django components for persistent access and control.
The exploit shows that the threat actor has a deep understanding of both FortiOS and the underlying hardware, and that they likely reverse-engineered various parts of the platform. This is a worrying development, as it demonstrates the increasing sophistication of cyber criminals and their ability to exploit zero-day vulnerabilities.
In light of this, organizations should ensure that their systems are regularly updated and patched, and that other security best practices, such as using two-factor authentication, are implemented and maintained.
Key Points:
• Fortinet recently patched a zero-day vulnerability in FortiOS, tracked as CVE-2022-41328.
• A sophisticated threat actor had been exploiting the vulnerability in highly targeted attacks against governmental and government-related entities.
• The attackers likely compromised the affected FortiGate devices via the FortiManager management software.
• The exploit shows that the threat actor has a deep understanding of both FortiOS and the underlying hardware.
• Organizations should ensure that their systems are regularly updated and patched, and that other security best practices are implemented and maintained.