Threat actors used a recently patched vulnerability in Fortinet FortiOS software in attacks aimed at government entities and government-related organizations with the likely goal to steal data.

The zero-day vulnerability in question is CVE-2022-41328, a path traversal issue stemming from input validation error occurring when processing certain CLI command, which may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The bug affects FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2. To remedy the issue users are advised to upgrade vulnerable systems to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and higher.

The attacks were discovered when multiple FortiGate devices belonging to an unnamed customer experienced “sudden system halt and subsequent boot failure,” indicating an integrity breach.

“If an integrity breach is detected, the device will shut down and refuse to boot to protect the integrity of the network,” Fortinet explained in a security advisory.

The investigation into the matter found that the attackers modified /sbin/init file within the device’s firmware image and added a new file - /bin/fgfm. The modification to /sbin/init ensures that /bin/fgfm, which may provide an attacker with persistent access and control, runs before proceeding with regular boot-up actions.

The Fortinet investigation team believes that the affected FortiGate devices were likely compromised using access via the FortiManager device based on the fact that all affected FortiGate devices detected the attack and halted around the same time, all were compromised in the same way, and the time at which this occurred coincides with scripts being executed on the FortiGate devices via FortiManager.

Currently, it’s unclear if the threat actor behind this attack is linked to another intrusion that exploited a flaw in FortiOS SSL-VPN (CVE-2022-42475) earlier this year to deploy a Linux implant.