Chinese Hackers Exploit FortiOS Zero-Day Vulnerability to Deploy New Malware
A vulnerability in Fortinet’s FortiOS SSL-VPN has been exploited by a group of Chinese hackers.
Several versions of the BOLD MOVE have been identified by Mandiant, varying in their capabilities, but a core set of features continues to be present in all samples, including the following:-- Perform system survey- Receive commands from the C2 server- Spawn a remote shell- Relay traffic via the infected hostBOLDMOVE supports a number of commands that allow threat actors to perform the following things remotely:-- Manage files- Execute commands- Interactive shell creation- Backdoor controlIt is believed that the Windows version of the malware was compiled almost a year before the Linux version in 2021. As a result, the following steps are taken to accomplish this goal:-- Retrieving its own path from /proc/self/exe- Obtaining an inode from this resultant path via fstatat- Obtain a secondary inode from the statically defined path /bin/wxd- Comparing these two inode recordsIt is important to note that the Linux version of the software has a significant feature that allows it to work with FortiOS devices specifically, as opposed to the Windows version, and it’s one of the most significant differences between them. However, in December, Fortinet made the vulnerability publicly known and urged their customers to take action in patching their devices, as it had been discovered that malicious actors were actively taking advantage of the flaw.
Source read time: 2 min - gbhackers.com
Also offered in: Nederlands