A suspected China-linked malware operation called Boldmove is exploiting a recently patched vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day believed to have struck as recently as October 2022, Mandiant said in a new advisory.
Attack Targets Identified
Targets so far include a European government entity and a managed service provider (MSP) located in Africa. MSPs and managed security service providers (MSSPs) have become enticing targets for malware attackers owing to their access to customers who themselves are often under protected from cyberattacks.
Mandiant said it has uncovered a Windows and Linux variant of Boldmove, which is written in C.
As Mandiant stated:
“We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups. This incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.).”
Windows versions of Boldmove appear to have been compiled as early as 2021. Mandiant acknowledged that it has not witnessed the malware in use in the wild, so it is “uncertain” how it was used. Mandiant's reseachers have "not directly observed exploitation of the vulnerability,” but samples of the Linux version have a hard coded C2 IP address that were listed by Fortinet as involved in the exploitation, perhaps suggesting CVE-2022-49475 was exploited to deliver the malware.
Deep Understanding of Fortinet Operating Systems
The attacker appears to have tailored both the Windows and Linux versions to FortiOS, indicating that they have a sophisticated knowledge of the operating system.
As Mandiant explained:
“The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With Boldmove, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats. The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices."
Mandiant's researchers said that they have “low confidence” that Boldmove is backed by the Chinese government:
“China-nexus clusters have historically shown significant interest in targeting networking devices and manipulating the operating system or underlying software which supports these devices. In addition, the geographical and sector targeting is consistent with previous Chinese operations.”
Moreover, this latest campaign continues a “long standing practice” by China-located cyber espionage actors, Mandiant said.