Attack Targets Identified
Targets so far include a European government entity and a managed service provider (MSP) located in Africa. MSPs and managed security service providers (MSSPs) have become enticing targets for malware attackers owing to their access to customers who themselves are often under protected from cyberattacks.Mandiant said it has uncovered a Windows and Linux variant of Boldmove, which is written in C.As Mandiant stated:“We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups. This incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.).”
Deep Understanding of Fortinet Operating Systems
The attacker appears to have tailored both the Windows and Linux versions to FortiOS, indicating that they have a sophisticated knowledge of the operating system.As Mandiant explained:“The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With Boldmove, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats. The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices."
“China-nexus clusters have historically shown significant interest in targeting networking devices and manipulating the operating system or underlying software which supports these devices. In addition, the geographical and sector targeting is consistent with previous Chinese operations.”
