Posted on January 13, 2023 at 6:09 AM
An unknown hacker exploited a critical flaw in the Fortinet FortiOS SSL-VPN. The hacker exploited the breach to infect the government and other institutions. The hacker conducted the exploit using customized malware, according to an autopsy report released by the company earlier this week.
Hackers exploit a critical flaw on Fortinet to infect VPN users
The vulnerability exploited by the hackers is named CVE-2022-42475. The security flaw allows the threat actors to execute malicious code. The flaw comes with a severity rating of 9.8 out of 10.
Fortinet’s software company patched this vulnerability on version 7.2.3, released on November 28. However, the company did not mention the threat in the release notes published when releasing the flaw.
Fortinet disclosed the vulnerability on December 12. At the time, the software company warned users that the flaw was being exploited, and at least one of its customers was a victim. The company has urged customers to ensure they are using a patched version of the software and searching networks for any signs of vulnerability being exploited within their networks.
The FortiOS SSL-VPNs used in border firewalls prevent the sensitive internal network from accessing the public internet. Fortinet’s latest report provided comprehensive details about what happened and the hacker behind the exploit.
However, the post did not discuss why the company failed to disclose the breach after it was patched in November. A spokesperson from the company also failed to clarify why the company failed to disclose the flaw and its policy on disclosing vulnerabilities.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” officials from Fortinet said in an update released on Wednesday.
The exploit could only be conducted by a sophisticated hacker because it needs an understanding of FortiOS and the malware being exploited. The hackers also used custom implants and reverse-engineered some features of FortiOS.
The threat actor’s activity also showed that they operated in the UTC+8 timezone, which includes countries like Russia, Singapore, China, Australia, and others in the Eastern Asia region.
Fortinet also analyzed one of the infected servers, showing that the threat actor used the flaw to install a variant of a popular Linux implant. The implant was customized to run on FortiOS. The hackers also took measures to obfuscate their activities, such as disabling some logging events after the malware was installed. The implant the hacker installed could also mimic a Fortinet IPS Engine.
After the implant execution was emulated, the Fortinet researchers also detected unique byte strings in the communication with the command-and-control servers. These can be used as a signature within systems that prevent intrusion into user devices. The buffer will then be visible within the “Client Hello” packet.
There are also multiple signs showing that a server was targeted. These signs include connecting to a wide range of IP addresses. Other TCP sessions, such as linking to the FortiGate on port 443, several requests, interactive shell session, and connecting to execute a command on the FortiGate, were also detected, showing that the threat actor had targeted a server.
The post-analysis includes several indicators that show that the victim was compromised. The institutions that use the FortiOS SSL-VPN are urged to check their networks to detect any signs that the breach targeted them and whether they were infected.
Failure to disclose the vulnerability
However, the post-analysis report failed to explain why Fortinet failed to disclose the vulnerability until it was exploited, given that the flaw had a high severity score. With the proper disclosures, users have a chance to prioritize installing patches. A patch to fix a vulnerability with a severity score of 9.8 will see organizations implementing it more quickly.
Officials from the company explained why they failed to provide disclosure about this vulnerability, saying that in December last year, Fortinet distributed a PSIRT advisory that addressed the mitigation guidance and also provided the next steps that needed to be taken to address the flaw.
“We notified customers via the PSIRT Advisory process and advised them to follow the guidance provided and, as part of our ongoing commitment to the security of our customers, continue to monitor the situation. Today, we shared additional research regarding CVE-2022-42475,” the company said as it urged users to review the blog to learn more about the bug.