Threat actor deploys new malware.
FortiOS vulnerability exploited.
A suspected Chinese threat actor is exploiting a recently patched critical flaw in Fortinet's FortiOS SSL-VPN, according to researchers at Mandiant.
Vulnerability exploited as a zero-day.
The threat actor began exploiting the vulnerability in October 2022, months before the flaw was disclosed publicly. Fortinet issued an advisory on December 12th rating the vulnerability as “critical,” noting that the company was “aware of an instance where this vulnerability was exploited in the wild.” Mandiant says the threat actor targeted “a European government entity and a managed service provider located in Africa.”
The researchers discovered a new malware dubbed “BOLDMOVE” that was developed to exploit this vulnerability:
“We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups.”
Mandiant also notes that the threat actor appears to be sophisticated and well-funded, stating, “The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats.”