Mandiant detects suspected Chinese BOLDMOVE hackers exploiting FortiOS vulnerability across federal entities

Threat intelligence firm Mandiant disclosed that it is tracking a suspected China-nexus campaign called ‘BOLDMOVE’ believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October last year, and identified targets include a European government entity and a managed service provider located in Africa.

The researchers wrote in a blog post that malware has been identified as a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate firewalls. “We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups,” they added. 

The researchers said that the exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high-priority targets; often in the government and defense sectors. They added that “with BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats. Malware running on an internet-connected device can enable lateral movement further into a network and enable command and control (C2) by tunneling commands in and data out of a network.”

Mandiant assesses that the BOLDMOVE Linux variant was deployed on Fortinet devices after successful exploitation of the FortiOS SSL-VPN vulnerability, the post said. However, the method for initial infection from the Windows variant is currently unclear. With that in mind, a private class C IP address (192.168.120[.]206) that was used in the Windows variant could indicate that it was used to communicate with an infected device inside the network following lateral movement or was merely used for testing, it added.

Last December, Mandiant identified the BOLDMOVE backdoor associated with the exploitation of CVE-2022-49475 FortiOS vulnerability. BOLDMOVE is written in C and has both Windows and Linux variants, the latter of which is intended to run (at least in part) on Fortinet devices as it reads data from a file proprietary to Fortinet.

Mandiant has not directly observed exploitation of the vulnerability; however, samples of the BOLDMOVE Linux variant have a hard-coded C2 IP address that was listed by Fortinet as being involved in the exploitation, suggesting CVE-2022-49475 was exploited to deliver BOLDMOVE. 

The researchers added that the Linux variant, Mandiant also revealed a Windows version. Windows versions of BOLDMOVE appear to have been compiled as early as 2021. However, Mandiant has not seen this malware in use in the wild so it is uncertain how it was used. 

BOLDMOVE is a fully featured backdoor written in C and compiled with GCC 11.2.1. When executed it performs a system survey and is capable of receiving commands from a C2 server that in turn allows attackers to control the file system, spawn a remote shell, or relay traffic using the infected host.

Based on indicators from the original Fortinet advisory, Mandiant was able to identify multiple Linux versions of BOLDMOVE, the researchers said. “There are a core set of features across all observed instances of BOLDMOVE, Windows, and Linux, and at least one Linux sample contained extended capabilities enabling it to alter specific behaviors and functionality of Fortinet devices, namely FortiGate Firewalls,” they added.

Mandiant said that upon execution, BOLDMOVE attempts to form a session with a hard-coded C2 server. Once it is established, it performs a system survey to collect information that identifies the infected machine to the C2. Subsequently, the C2 may send commands for execution that allow attackers to control the infected device. Command codes across platforms and versions of BOLDMOVE may vary but their core capabilities do not appear to change. 

“Upon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command line argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a new process,” according to Mandiant. “Prior to starting the backdoor’s logic, the malware calls the signal function in order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE.”

Mandiant assesses that given their configuration, it is very hard to measure the scope and extent of malicious activity that results from exploiting internet-facing network devices, as ‘we have little to no information that can indicate those devices are compromised.’

The researchers added that there is no mechanism to detect malicious processes running on such devices, nor telemetry to proactively hunt for malicious images deployed on them following exploitation of a vulnerability. “This makes network devices a blind spot for security practitioners and allows attackers to hide in them and maintain stealth for long periods, while also using them to gain foothold in a targeted network.”

Commenting on the Mandiant disclosure, Satnam Narang, senior staff research engineer at Tenable said that “since 2019, we have seen the consistent use of SSL-VPN vulnerabilities from Citrix, Pulse Secure and Fortinet being leveraged by a variety of attackers, from ransomware affiliates to advanced persistent threat groups and nation-state actors aligned with countries like Russia, Iran and China.”

Narang highlighted that the public-facing nature of these assets makes them ripe targets for attacks. “From a cost perspective, investing in the development or procurement of zero-day vulnerabilities is certainly higher, whereas utilising publicly available exploit code for legacy vulnerabilities costs nothing. In that sense, it is surprising to see a nation-state actor with ties to China leveraging a zero-day, though it is not unexpected,” he added.

Earlier this month, Mandiant researchers analyzed a dataset of over 1700 unique, industrial-themed phishing samples delivered to organizations worldwide in 2022. The team built the dataset using a specialized set of industrial-related keywords to search through millions of samples and pinpoint phishing emails impersonating email communications from personnel operating or handling operational technology (OT) and industrial processes.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.