Unknown attackers used a FortiOS SSL-VPN zero-day vulnerability patched last month in attacks on government organizations and government-related targets, according to Fortinet. The exploited security issue (CVE-2022-42475) is a heap-based buffer overflow vulnerability found in the FortiOS SSLVPNd that allows unauthenticated attackers to crash vulnerable devices or obtain remote code execution remotely.
After silently addressing the flaw on November 28 in FortiOS 7.2.3, the network security business recommended customers in mid-December patch their appliances against ongoing attacks leveraging this vulnerability (and without releasing information that it was a zero-day).
On December 7, customers were privately notified of this vulnerability via a TLP: Amber advisory. On December 12, more information was made available, including a warning that the problem was being actively exploited in attacks.
“Fortinet is well aware of an instance where this vulnerability has been abused in the wild,” the company noted at the time, advising administrators to check their systems promptly against a set of indicators of compromise published in this advisory.
Fortinet released a follow-up report on Wednesday, disclosing that attackers were leveraging CVE-2022-42475 exploits to hack FortiOS SSL-VPN appliances to deliver malware disguised as a trojanized version of the IPS Engine.
Zero-day Exploitation To Attack Government Networks
According to the business, the threat actor’s attacks were highly targeted, with evidence discovered during the investigation indicating a concentration on government networks. “The intricacy of the exploit signals a sophisticated actor and that it is highly focused at governmental or government-related targets,” according to Fortinet.
“The detected Windows sample attributed to the attacker exhibited artifacts of being compiled on a machine in the UTC+8 timezone, which encompasses Australia, China, Russia, Singapore, and other Eastern Asian countries.”
The attackers intended to avoid discovery by using the vulnerability to install malware that updates FortiOS logging processes so that specific log entries may be erased or even kill the logging processes if necessary.
Additional payloads downloaded from hacked appliances revealed that the virus also disabled the affected devices’ Intrusion Prevention System (IPS) capability, which is supposed to detect threats by continuously monitoring network traffic to prevent security violations.
“The virus patches the FortiOS logging processes to modify logs in order to avoid detection,” Fortinet warned. “Malware is capable of modifying log files. It also looks for elog files, which are FortiOS event logs. After decompressing them in memory, it searches for and deletes a string given by the attacker before reconstructing the logs.”
Fortinet noted that more malicious payloads were downloaded from a remote site throughout the attacks but could not be retrieved for examination. The threat actor responsible for last month’s CVE-2022-42475 exploitation possesses “advanced capabilities,” including the ability to reverse-engineer sections of the FortiOS operating system, according to the company.
Customers were also instructed to immediately upgrade to a patched version of FortiOS in order to thwart attack attempts and to contact Fortinet support if they discovered indicators of compromise relating to the December attacks.
Fortinet Warns Of An Actively Exploited zero-day vulnerability in VPN software.
Fortinet is warning businesses about an actively exploited zero-day vulnerability in FortiOS SSL-VPN that might allow a remote attacker to seize control of vulnerable VPN servers. An attacker can induce a heap-based buffer overflow and execute code on the system by delivering carefully crafted requests. To carry out the attack, attackers do not require any credentials.
The vulnerability’s impact has been rated 9.3 on a scale of 1 to 10. According to Fortinet, the exposure, labeled CVE-2022-42475, was aggressively attacked prior to the deployment of the security update, but no further information regarding the target of the assaults is provided. The security bulletin does offer information that can be utilized to identify a successful VPN server assault.
“Vulnerabilities in VPN interfaces can consequently give a starting point to breach a network, after which other systems may potentially be hacked. Depending on the circumstances, an attacker may use this method to get access to sensitive information or to launch a ransomware assault,” according to the National Cyber Security Center.
Conclusion
Unknown attackers used a zero-day vulnerability in FortiOS SSL-VPN that Fortinet patched last month in attacks against the government and other significant enterprises. “The sophistication of the exploit reflects an advanced actor,” Fortinet researchers wrote in a post-mortem report published this week. CVE-2022-42475, a heap-based buffer overflow weakness that might give passage to an unauthenticated, remote attacker to carry out arbitrary code via specially crafted requests, was exploited in the attacks.
