Fortinet claims that unknown attackers have exploited the FortiOS SSLVPN zero day vulnerability in an attack against government agencies and other government targets.
These incidents exploit a security flaw ( ). This heap-based buffer overload weakness was found in FortiOS SSLVPNd and allowed remote attackers to remotely crash target devices or execute code.
After quietly fixing this bug in FortiOS 7.2.3 on November 28, the network security firm to update their appliances in order to protect themselves from ongoing attacks using this vulnerability.
This issue was made known to customers via TLP:Amber on December 7. On December 12, more information, including warnings that this bug could be used in attacks was made public.
“Fortinet knows of an exploit of this vulnerability in the wild,” said the company at that time. The company recommended admins immediately to check their systems against the list of indicators for compromise found in .
Fortinet released a report on Wednesday that revealed attackers used CVE-20222-42475 exploits in FortiOS SSL VPN appliances to install malware as a trojanized IPS Engine.
Zero-day is used to attack government networks
According to the company, threats were targeted and evidence was found that emphasized government networks.
Fortinet that the complexity of this exploit suggested an advanced actor, and it was highly targeted at government or government-related targets.
The attacker claimed that the Windows samples discovered by him contained artifacts that they were compiled from a computer in the UTC+8 zone, which covers Australia, China and Russia as well as Singapore.
They were focused on persistence and getting around detection. The vulnerability allowed them to install malware to patch FortiOS log processes, so that certain log entries could be deleted or even killed.
Further payloads were downloaded to compromised appliances and revealed that malware had also broken the Intrusion Prevention Systems (IPS) function of compromised devices. This is a system designed to identify threats by continuously monitoring the network traffic in order to prevent security violations.
Fortinet stated that the malware “patches the logging processes of FortiOS in order to manipulate logs in an attempt to evade detection.”
The malware is capable of manipulating log files. It looks for FortiOS log files called elogs. It then decompresses them into memory and searches for the string that the attacker has specified.
Fortinet advised that additional malicious payloads had been downloaded from remote sites during the attacks, but they could not be recovered for analysis.
According to the company, the threat actor responsible for the CVE-20222-42475 exploit last month showed “advanced abilities,” which included the ability reverse-engineer FortiOS parts.
Customers were also advised to upgrade immediately to FortiOS patched to stop attack attempts, and to contact Fortinet support should they discover any indications of compromise related to December’s attacks.