Get in Touch
Severity Level – High: Compromise may result in the loss of confidentiality and integrity of data.
Fortinet addressed a zero-day vulnerability, tracked as CVE-2022-41328 (CVSSv3 base score of 7.1, that allows threat actors to execute unauthorised commands on target systems.
The incident was discovered after it was detected that compromised Fortigate devices were shutting down with the following failure message:
– “System enters error-mode due to FIPS error: Firmware Integrity self-test failed”
This occurred due to the FIPS-enabled devices verifying the system components’ integrity, which are configured to automatically shut down and stop booting to block a network breach if a compromise is detected.
These Fortigate firewalls were breached via a FortiManager device on the target network and the FortiGate path traversal exploit was launched in tandem with the execution of the scripts via FortiManager. Investigation of the incident demonstrated that the threat actors modified the device firmware image (/sbin/init) to launch a payload (/bin/fgfm) prior to the initiation of the boot process. The associated malware allows for the implementation of the following cyber-espionage attack vectors:
– Data exfiltration
– Downloading and writing files on compromise devices
– Opening remote shells when receiving an ICMP packet containing the “;7(Zu9YTsA7qQ#vm” string.
Upon further investigation, it was suspected that the vulnerability was exploited by the Chinese threat actor group tracked as UNC3886. Subsequent to the initial exploitation, the attackers applied a backdoor to the compromised devices, using two new malware strains for the purposes of persistence. These malware strains were detected to be:
– Python-based Thincrust backdoor
– ICMP port-knocking Castletap passive backdoor.
CVE-2922-41328 pertains to an improper limitation of a pathname to a restricted directory vulnerability in FortiOS which could allow a threat actor with the appropriate privileges to read and write arbitrary files via crafted CLI commands.
Fortinet has released patches pertaining to the security flaw for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
– FortiOS versions 6.4.0 – 6.4.11
– FortiOS versions 7.0.0 – 7.0.9
– FortiOS versions 7.2.0 – 7.2.3
– All versions of FortiOS 6.0 and 6.2
Containment, Mitigations & Remediations
It is strongly recommended that administrators apply the following FortiOS upgrades:
– FortiOS version 6.4.12 and later
– FortiOS version 7.0.10 and later
– FortiOS version 7.2.4 and above
Indicators of Compromise
– String “execute wireless-controller hs20-icon upload-icon”
– String “User FortiManager_Access via fgfmd upload and run script”
File hashes (MD5):
– Auth – b6e92149efaf78e9ce7552297505b9d5
– Klogd – 53a69adac914808eced2bf8155a7512d
– Support – 9ce2459168cf4b5af494776a70e0feda
– Smit – e3f342c212bb8a0a56f63490bf00ca0c
– Localnet – 88711ebc99e1390f1ce2f42a6de0654d
– Urls.py – 64bdf7a631bc76b01b985f1d46b35ea6
– Views.py – 3e43511c4f7f551290292394c4e21de7
– Fgfm – e2d2884869f48f40b32fb27cc3bdefff
Fortinet has a significant proportion of the networking-hardware market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, networking hardware products are a prime target. Due to the fact that Fortinet products have become an integral aspect of business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
In January 2022, Fortinet disclosed a similar series of incidents in which a FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, was also used as a zero-day vulnerability to target government organisations. Many correlations exist between the threat profile of the FortiOS SSL-VPN zero-day attacks with a separate Chinese hacking campaign that infected unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware.
It is suspected that the vulnerability has been exploited by a Chinese threat actor group being tracked as UNC3886. This attribution was, in part, due to the highly targeted nature of the attacks against government networks and large organisations. The threat actors also demonstrated advanced capabilities which included reverse-engineering of the FortiGate devices’ operating system.
It should be noted that at the time of writing, no official attribution has been made.
– TA0002– Execution
– TA0010– Exfiltration
Common Weakness Enumeration:
– CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)