14 March 2023

New FortiOS bug exploited in attacks targeting government orgs


New FortiOS bug exploited in attacks targeting government orgs

Threat actors used a recently patched vulnerability in Fortinet FortiOS software in attacks aimed at government entities and government-related organizations with the likely goal to steal data.

The zero-day vulnerability in question is CVE-2022-41328, a path traversal issue stemming from input validation error occurring when processing certain CLI command, which may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The bug affects FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2. To remedy the issue users are advised to upgrade vulnerable systems to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and higher.

The attacks were discovered when multiple FortiGate devices belonging to an unnamed customer experienced “sudden system halt and subsequent boot failure,” indicating an integrity breach.

“If an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network,” Fortinet explained in a security advisory.

The investigation into the matter found that the attackers modified /sbin/init file within the device’s firmware image and added a new file - /bin/fgfm. The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions.

The Fortinet investigation team believes that the affected FortiGate devices were likely compromised using access via the FortiManager device based on the fact that all affected FortiGate devices detected the attack and halted around the same time, all were compromised in the same way, and the time at which this occurred coincides with scripts being executed on the FortiGate devices via FortiManager.

Currently, it’s unclear if the threat actor behind this attack is linked to another intrusion that exploited a flaw in FortiOS SSL-VPN (CVE-2022-42475) earlier this year to deploy a Linux implant.


Back to the list

Latest Posts

Cyber Security Week In Review: December 1, 2023

Cyber Security Week In Review: December 1, 2023

The world in brief: Apple, Google fix WebKit, Chrome zero-days, Qlik Sense bugs exploited by Cactus ransomware, and more.
1 December 2023
New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

GoTitan is designed for launching DDoS attacks via protocols such as HTTP, UDP, TCP, and TLS.
30 November 2023
US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

The authorities described the service as “a key money-laundering tool” of Lazarus.
30 November 2023