Technology NewsFortiOS Flaw Exploited as Zero-Day in Attacks on Government...

FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations

-


Jan 13, 2023Ravie LakshmananZero-Day / Incident Response

FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.

“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet researchers said in a post-mortem analysis published this week.

The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.

The infection chain analyzed by the company shows that the end goal was to deploy a generic Linux implant modified for FortiOS that’s equipped to compromise Fortinet’s intrusion prevention system (IPS) software and establish connections with a remote server to download additional malware and execute commands.

Fortinet said it was unable to recover the payloads used in the subsequent stages of the attacks. It did not disclose when the intrusions took place.

FortiOS Flaw

In addition, the modus operandi reveals the use of obfuscation to thwart analysis as well as “advanced capabilities” to manipulate FortiOS logging and terminate logging processes to remain undetected.

“It searches for elog files, which are logs of events in FortiOS,” the researchers said. “After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.”

The network security company also noted that the exploit requires a “deep understanding of FortiOS and the underlying hardware” and that the threat actor possesses skills to reverse engineer different parts of FortiOS.

“The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries,” it added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest news

all about the upcoming Redmi Band 2

The new generation of the Redmi smart bracelet will be presented very soon, and we already know its...

கடந்த காலத்தை குறியீடாக்குதல் – மர்மமான மாபெரும் அழிந்துபோன கடல் ஊர்வன கல்லறையின் தோற்றத்தை விஞ்ஞானிகள் கண்டுபிடித்துள்ளனர்

இக்தியோசர் இனத்தின் வயது வந்தோர் மற்றும் இளம் பருவத்தினர் ஷோனிசரஸ் பிரபலமானது 230 மில்லியன் ஆண்டுகளுக்கு முன்பு அம்மோனாய்டு இரையைத் துரத்தியது, இப்போது பெர்லின்-இக்தியோசர்...

Canonical has announced the availability of Ubuntu Pro subscriptions. What does this mean for regular users of this distro?

Canonical announced this morning that their Ubuntu Pro subscription service has been promoted from beta to general availability...

Hive Ransomware Infrastructure Seized in Joint International Law Enforcement Effort

Jan 26, 2023Ravie LakshmananEncryption / Ransomware The infrastructure associated with the Hive ransomware-as-a-service (RaaS) operation has been seized as...

Elite IT bachelor’s degree program starts at a domestic university

From artificial intelligence to digital molecular medical biology, students can acquire up-to-date knowledge and an internationally valuable diploma. ...

ZTE Blade V40 shows its face, specs revealed

ZTE has yet another V40 device up its sleeve and it's the Blade V40, that surfaced in Bangladesh....

Must read

Movies Like Knives Out – 7 Murder Mystery Films For Whodunit Fans

Where To Watch Knives Out? Knives Out is a...

99acres Survey – Review & Earn ₹150 FREE PayTM Cash

99acres Survey – Earn Free PayTM Cash 99acres Write...