14 March 2023

New FortiOS bug exploited in attacks targeting government orgs


New FortiOS bug exploited in attacks targeting government orgs

Threat actors used a recently patched vulnerability in Fortinet FortiOS software in attacks aimed at government entities and government-related organizations with the likely goal to steal data.

The zero-day vulnerability in question is CVE-2022-41328, a path traversal issue stemming from input validation error occurring when processing certain CLI command, which may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The bug affects FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2. To remedy the issue users are advised to upgrade vulnerable systems to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and higher.

The attacks were discovered when multiple FortiGate devices belonging to an unnamed customer experienced “sudden system halt and subsequent boot failure,” indicating an integrity breach.

“If an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network,” Fortinet explained in a security advisory.

The investigation into the matter found that the attackers modified /sbin/init file within the device’s firmware image and added a new file - /bin/fgfm. The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions.

The Fortinet investigation team believes that the affected FortiGate devices were likely compromised using access via the FortiManager device based on the fact that all affected FortiGate devices detected the attack and halted around the same time, all were compromised in the same way, and the time at which this occurred coincides with scripts being executed on the FortiGate devices via FortiManager.

Currently, it’s unclear if the threat actor behind this attack is linked to another intrusion that exploited a flaw in FortiOS SSL-VPN (CVE-2022-42475) earlier this year to deploy a Linux implant.


Back to the list

Latest Posts

Cyber security week in review: March 24, 2023

Cyber security week in review: March 24, 2023

The world in brief: BreachForums data breach site shut down, Bitcoin ATM maker General Bytes suffers a $1.5M hack, and more.
24 March 2023
Lionsgate streaming platform exposed data of 37M users

Lionsgate streaming platform exposed data of 37M users

Researchers discovered an unprotected ElasticSearch instance that contained about 20GB of data.
23 March 2023
New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

New stealthy NUIT attack allows to remotely control Siri, Alexa and other smart voice assistants

The technique involves the use of inaudible sounds embedded in regular audio and video files to send malicious commands.
22 March 2023