- Threat actors exploited a bug in to FortiOS to target the government & related organizations.
- The high severity vulnerability was termed as a zero-day exploit, i.e., CVE-2022-41328,
- The vulnerability was used to back and dismantle multiple Fortinet FortiGate firewall devices.
A week ago, Cyber Security firm Fortinet pushed out a security update to fix a high-severity security vulnerability CVE-2022-41328, allowing threat actors to execute unauthorized commands or code.
Well, to put this into perspective, some anonymous threat actors utilized a zero-day vulnerability to exploit a bug in the FortiOS that let the attackers target government & big organizations, ultimately leading to OS, file corruption & loss of data.
FortiOS, as the name suggests, is Fortinet’s operating system, to enterprises use a network security OS. It provides advanced threat protection with united security access, network security & more.
The flaw advisory did not mention the bug the threat attackers exploited before being patched. Although a report published by the security firm revealed CVE-2022-41328, the flaw was used to back and dismantle multiple Fortinet FortiGate firewall devices of one of its customers.
An improper limitation of a pathname to a restricted directory vulnerability (path traversal) [cve-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” the firm mentions in its advisory.
These are the compromised versions of the FortiOS 6.4.0 to 6.4.11 and FortiOS 7.0.0 to 7.0.9, version 7.2.0 to 7.2.3, and all the other versions of FortiOS 6.0 to 6.2.
Read: Bitwarden Password Manager’s Autofill Feature Vulnerable to iframe-based Credential Theft
To patch the exploit, the admins had to upgrade the vulnerable security firm’s ForniOS version 6.4.12 to FortinetOS version 7.0.10 and later to FortiOS version 7.2.4 and above.
The security firm discovered it after Fortinet’s compromised device shutdown with the system entering error mode due to the FIPS error: Fire integrity self-test failed message and failed to start again
The firm mentions that it happened as the FIPS-enabled device confirms system component integrity and is built to shut down and stop booting a block network breach if an exploit is identified
The firewalls were exploited via the FortiManager on the targets network, noting that all of them were stopped simultaneously, which means that they were hacked with the same tactics and the FortiGate path traversal exploit was launched at the same time as scripts performed via FortiManager.
Well, the following investigation showed that the attackers altered the device firmware image ( /sbin/init) to launch a payload ( /bin/fgfm) before the boot process started
The malware allowed for data exfiltration, opening remote shells when receiving an ICPM packet that had the “;7(Zu9YTsA7qQ#vm” string or downloading and writing files.
The cyber security firm mentions that the attacks were highly targeted with the proof that the threat actors favored government networks. The threat actors showed advanced capabilities, including reserve engineering of Fortinet’s device operating system.
Attacks were highly targeted, with some proof of it favoring the government & government-related targets, mentions Fortinet.
The exploits require an in-depth understanding of the FortiOS & its hardware. The investigation shows that the attackers had advanced capabilities of reserve engineering the many parts of the security firm’s OS. The Fortinet customers are advised to upgrade to a patched version to block possible attack attempts.
Read: BidenCash Leak: 2M+ Credit/Debit Cards with Personal Info Exposed