Skip to content

BOLDMOVE Linux Malware Exploited Fortinet Vulnerability

paul pon raj

A new Linux malware known as BOLDMOVE has been used to exploit a recently disclosed FortiOS SSL-VPN vulnerability. The vulnerability, tracked as CVE-2022-42475, was quietly fixed by Fortinet in November but was publicly disclosed in December after it was discovered that threat actors were actively exploiting the flaw.

The vulnerability allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. It has been reported that Chinese hackers targeted a European government and an African Managed Service Provider with BOLDMOVE malware, which is specifically designed to run on FortiOS devices.

paul pon raj

The attackers focused on maintaining persistence on the exploited devices by using the malware to patch the FortiOS logging processes, thus making it harder for defenders to track the intrusion.

The malware also has the ability to send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread them laterally to other devices.

BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device. According to Mandiant, a cybersecurity company, several versions of BOLDMOVE have been identified, with the core set of features including system surveying, receiving commands from the C2 server, spawning a remote shell on the host, and relaying traffic through the breached device.

The Windows and Linux variants of BOLDMOVE are largely the same, but the Linux variant contains functionality that specifically targets FortiOS devices. Moreover, this version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread them laterally to other devices.

It is important to note that this type of attack highlights the importance of patching internet-facing devices, such as firewalls and IPS/ISD appliances, as they offer easy network access without requiring interaction.

Unfortunately, it can be difficult for defenders to scrutinize what processes run in these devices, and native security mechanisms may not work effectively to protect them.

In conclusion, the appearance of a custom-made backdoor for one of these devices proves the threat actors’ deep understanding of how perimeter network devices operate and the initial access opportunity they represent.

Read More