Fortinet VPN Flaw Shows Pitfalls of Security AppliancesInternet-Facing Appliances Are a Target for State-Backed Hackers
A threat actor, possibly affiliated with the Chinese government, exploited a now-patched zero-day vulnerability in the Fortinet virtual private network, says Mandiant.
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
The exploit is likely part of China's pattern of exploiting internet-facing security devices, the cybersecurity firm says in a blog post, adding that security devices typically allow users limited transparency on their internal workings.
Devices such as firewalls or Fortinet's FortiOS SSL-VPN "are often not inherently protected themselves" especially since they may not allow other security products such as endpoint detection and response to be installed on them. Core features may be sealed off by device manufacturers, and admin interfaces may present limited configuration and logging features.
The difficulty of detecting malicious activity on a security appliance makes these devices attractive to state-sponsored hackers. State-backed threat groups are also more likely than run-of-the-mill cybercriminals to invest resources into developing security appliance exploits given the high level of resources needed to do so, Mandiant says. That makes the government and defense sectors likely targets.
The unidentified threat actor exploiting the Fortinet VPN vulnerability - officially designated as CVE-2022-42475 - may have started doing so weeks before the company released a patch in December.
It used the flaw to deliver a backdoor Mandiant dubs Boldmove, including a Linux variant "specifically designed to run on FortiGate Firewalls."
A Windows version of Boldmove appears to have been compiled in 2021, and Mandiant didn't discover any exploits associated with that variant.
An extended version of the Linux backdoor contained a command that activates indicator blocking by disabling logging services. The extended version also contained a command that allows hackers to send requests to an internal Fortinet service, "possibly to modify device settings or expose internal parts of the associated network to the internet."
Fortinet's own analysis of its patched flaw concluded that an exploit would have required the threat actor to have a "deep understanding" of FortiOS and the associated hardware. Fortinet's knowledge of the threat actor who exploited it suggested a group with advanced capabilities and a preference for governmental or government-related targets.