A China-linked group is suspected of exploiting a zero-day vulnerability in Fortinet’s FortiOS software, impacting versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3.
The vulnerability, tracked as CVE-2022-41328, is a path traversal issue that may allow a privileged attacker to read and write arbitrary files via crafted CLI commands, and can result in arbitrary code execution.
Fortinet has addressed the vulnerability with the release of versions 6.4.12, 7.0.10, and 7.2.4 respectively.
Mandiant researchers linked a series of attacks that took place in mid-2022 to a China-linked threat actor tracked as UNC3886.
The attackers exploited the CVE-2022-41328 zero-day to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access, then maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.
They also bypassed firewall rules on FortiManager devices with a passive traffic redirection utility, used a custom API endpoint created within the device to maintain persistence on FortiManager and FortiAnalyzer, and disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.
Once compromised, the attackers established backdoor access using two previously undocumented malware, a Python-based Thincrust backdoor disguised as legitimate API calls and the ICMP port-knocking Castletap passive backdoor.
When FortiManager was not exposed to the Internet, the attackers deployed a traffic redirector (Tableflip) and a passive backdoor (Reptile) to circumvent the new ACLs.
In conclusion, cross-organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.
