In December, network security vendor Fortinet disclosed that a critical vulnerability in its FortiOS operating system was being exploited by attackers in the wild. This week, the company released more details about a sophisticated malware implant that those attackers deployed through the flaw.
The vulnerability, tracked as CVE-2022-42475, is in the SSL-VPN functionality of FortiOS and can be exploited by remote attackers without authentication. Successful exploitation can result in the execution of arbitrary code and commands.
Fortinet rated the vulnerability 9.3 (Critical) on the CVSS scale and released updates to major variants of FortiOS, FortiOS-6K7K, and FortiProxy, the company’s secure web gateway product.
Fortinet’s analysis showed that the attackers exploited the vulnerability and copied a Trojanized version of the FortiOS IPS Engine to the filesystem. This indicates the attackers are highly skilled and capable of reverse engineering custom FortiOS components.
The rogue version of the IPS Engine was saved on the filesystem as /data/lib/libips.bak and is a copy of the legitimate /data/lib/libips.so but with malicious modifications.
The analysts were not able to recover all the files from the compromised appliance they analyzed, so the full attack chain is not known. However, they did find a file called wxd.conf whose contents are similar to the config file for an open-source reverse proxy that can be used to expose a system behind NAT to the internet.
Analysis of network packet captures from the appliance suggested the malware connected two external attacker-controlled servers to download additional payloads and commands to execute.
Based on currently available information, the original zero-day attack was highly targeted at government-related entities. However, since the vulnerability has been known for over a month, all customers should patch it as soon as possible as more attackers could start using it.
Fortinet has also released an IPS (intrusion prevention system) signature for detecting exploit attempts, as well as detection rules for the known implant in its antivirus engine.