Zero’s zero vulnerability in Fortios SSL-VPN, which Fortinet eliminated in December, was used by unknown hackers in attacks on government and various large organizations.
Cybercriminals exploited the vulnerability of overflowing the buffer based on the heap CVE-2022-42475 (CVSS: 9.8) ) , who could allow a remote unauthorized attacker to execute an arbitrary code using specially created requests.
The ultimate goal of the infection chain was the deployment of the Linux universal implant, modified for Fortios, which is equipped to compromise the Fortinet (Intrusion Prevention System, IPS) software system and establish a remote server for loading additional malicious programs and commands. /p>
Fortinet could not restore the useful load, which was used at the subsequent stages of attacks. When exactly the invasion occurred, it is not reported.
In addition, hackers used the confusion of code to prevent the analysis, as well as “advanced capabilities” to manage Fortios magazines and stop journaling processes to remain unnoticed. Fortinet noted that the exploit requires “a deep understanding of Fortios and basic equipment”, which means that the attacker has the skills of reverse engineering of various parts of Fortios.
Windows detected showed artifacts that were compiled by car in the UTC+8 clock belt, which includes Australia, China, Russia, Singapore and other East Asian countries.