Suspected Chinese hackers have been targeting a European government entity and African managed service provider with new custom malware.
According to a report released by Mandiant on Thursday, hackers exploited a recently patched vulnerability — CVE-2022-42475 — in FortiOS, an operating system developed by U.S. cybersecurity company Fortinet, as a zero-day.
The exploitation occurred as early as October 2022, before the bug was fixed. In January, Fortinet warned its customers that hackers were using this vulnerability to target government networks.
Mandiant identified a sophisticated new malware, which the researchers dubbed Boldmove, that exploited this vulnerability. Boldmove’s Linux variant was specifically designed to run on Fortinet’s FortiGate firewalls.
The researchers believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices.
“We anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups,” Mandiant said.
Mandiant identified the Boldmove backdoor in December 2022. It is written in C programming language and has both Windows and Linux variants, the latter of which is intended to run in part on Fortinet devices as it reads data from files owned by the company.
When executed successfully, the malware allows attackers to gain full remote control of the affected FortiOS device.
Windows version of Boldmove was compiled as early as 2021, however, Mandiant has not seen this malware in use in the wild.
Mandiant researchers added that they suspect Chinese hackers are behind the attacks due to the tactics they used, as well as their targeting. Additionally, the malware was likely compiled on a computer configured to display Chinese characters and located in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries
Internet-facing devices used for managed security purposes, such as firewalls, IPS, and IDS appliances are attractive targets for hackers, according to Mandiant.
First, they have access to the internet, and if the attackers have an exploit, they can control the network without any victim interaction. “This allows the attacker to control the timing of the operation and can decrease the chances of detection,” Mandiant said.
Networking devices are typically intended to inspect network traffic, searching for anomalies as well as signs of malicious behavior, but are often not protected themselves.
The exploits required to compromise these devices are hard to develop, so they are often used against high-priority targets — in the government and defense sectors.
There is no mechanism to detect malicious processes running on internet-facing devices, according to Mandiant.
“This makes network devices a blind spot for security practitioners and allows attackers to hide in them and maintain stealth for long periods, while also using them to gain a foothold in a targeted network,” the research said.