Fortinet VPN Flaw Shows Pitfalls of Security Appliances

Internet-Facing Appliances Are a Target for State-Backed Hackers
Fortinet VPN Flaw Shows Pitfalls of Security Appliances
Image: Shutterstock

A threat actor, possibly affiliated with the Chinese government, exploited a now-patched zero-day vulnerability in the Fortinet virtual private network, says Mandiant.

See Also: New OnDemand | Securing Skies: Network Firewalls and the Battle Against Zero-Day Threats in the Cloud

The exploit is likely part of China's pattern of exploiting internet-facing security devices, the cybersecurity firm says in a blog post, adding that security devices typically allow users limited transparency on their internal workings.

Devices such as firewalls or Fortinet's FortiOS SSL-VPN "are often not inherently protected themselves" especially since they may not allow other security products such as endpoint detection and response to be installed on them. Core features may be sealed off by device manufacturers, and admin interfaces may present limited configuration and logging features.

The difficulty of detecting malicious activity on a security appliance makes these devices attractive to state-sponsored hackers. State-backed threat groups are also more likely than run-of-the-mill cybercriminals to invest resources into developing security appliance exploits given the high level of resources needed to do so, Mandiant says. That makes the government and defense sectors likely targets.

The unidentified threat actor exploiting the Fortinet VPN vulnerability - officially designated as CVE-2022-42475 - may have started doing so weeks before the company released a patch in December.

It used the flaw to deliver a backdoor Mandiant dubs Boldmove, including a Linux variant "specifically designed to run on FortiGate Firewalls."

A Windows version of Boldmove appears to have been compiled in 2021, and Mandiant didn't discover any exploits associated with that variant.

An extended version of the Linux backdoor contained a command that activates indicator blocking by disabling logging services. The extended version also contained a command that allows hackers to send requests to an internal Fortinet service, "possibly to modify device settings or expose internal parts of the associated network to the internet."

Fortinet's own analysis of its patched flaw concluded that an exploit would have required the threat actor to have a "deep understanding" of FortiOS and the associated hardware. Fortinet's knowledge of the threat actor who exploited it suggested a group with advanced capabilities and a preference for governmental or government-related targets.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.