Mandiant researchers have determined that a recent Fortinet vulnerability was exploited as a 0-day for malware delivery in October 2022, almost two months before the patch release.

The resellers suspect the actor of having ties with the PRC, believing that the incident continues the practice of Chinese ART on the use of devices connected to the Internet, especially those used for managed security (for example, firewalls, IPS\IDS devices, etc.). 

The attacker exploited a vulnerability in Fortinet FortiOS SSL VPN in attacks on an unnamed European government agency and an MSP provider in Africa.

During the attacks, the actor used a complex backdoor, named BOLDMOVE, the Linux version of which is specially designed to work on FortiGate firewalls.

The considered intrusion vector is associated with the exploitation of a buffer overflow vulnerability in dynamic memory in FortiOS SSL-VPN (CVE-2022-42475), which can lead to RCE without authentication using specially created requests.

Earlier this month, Fortinet also reported that attempts to exploit unidentified ART of this flaw during attacks on governments and other large organizations using a universal Linux implant that delivers additional payloads and executes commands from C2.

The latest Mandiant data shows that the attacker managed to use the vulnerability as a 0-day to his advantage and hack target networks for espionage operations.

With BOLDMOVE, attackers have developed not only an exploit, but also malware that demonstrates a deep understanding of systems, services, logging and undocumented proprietary formats.

It is claimed that malware written in C has variants for both Windows and Linux, with the latter being able to read data from a file format belonging to Fortinet.

Analysis of the metadata of the backdoor version for Windows shows that they were compiled back in 2021, although no samples were found in the wild.

BOLDMOVE is designed to analyze the system and is able to receive commands from C2, which, in turn, allows attackers to perform operations with files, launch a remote shell and relay traffic through an infected host.

The advanced malware sample for Linux comes with additional features to disable and manage logging functions in an attempt to avoid detection, which is confirmed by the Fortinet report.