Suspected Chinese threat actors observed attacking Fortinet zero-day

Attacks 'highly targeted at governmental or government-related targets' Fortinet says

Threat actors have been observed using a flaw in Fortinet's Security Fabric stack to attack large enterprises and government entities, according to the company's researchers

The flaw in question, tracked as CVE-2022-41328 (CVSS score 6.5), is a security path traversal zero-day vulnerability in FortiOS, the network operating system of the Fortinet Security Fabric, which could lead to arbitrary code execution.

"A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands," the company's advisory says.

Fortinet released security updates on 7th March to patch the vulnerability. Organisations running vulnerable versions of FortiOS should upgrade to FortiOS version 6.4.12 and later, version 7.0.10 and later or version 7.2.4 and later.

The company discovered that the flaw had been used to cause "data loss and OS and file corruption" at one customer, which is not named.

It was alerted to the security incident when multiple FortiGate firewall devices failed and would not reboot, the latter being a security feature to prevent attackers taking over the devices. On inspection, Fortinet's researchers found the FortiGate image had been altered, with a new file added that may have been designed to maintain remote access to the remote systems.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet said

"The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."

Cybersecurity company Mandiant has been working with Fortinet to track what appears to be a state-sponsored actor exploiting CVE-2022-41328 to attain a persistent presence on the FortiManager management console and the FortiAnalyzer log management and analytics platform since the middle of 2022.

Mandiant suspects the threat actor to be UNC3886, a group thought to have connections to the Chinese government that is also associated with attacks on the VMware ESXi hypervisor among others. The purpose of the attacks, which often happen in multiple stages, is thought to be espionage.

"Chinese espionage operators' recent victims include DIB [defence industrial base], government, telecoms and technology," said Mandiant CTO Charles Carmakal.

"Given how incredibly difficult they are to find, most organisations cannot identify them on their own. It's not uncommon for Chinese campaigns to end up as multi-year intrusions."

Networking infrastructure such as firewalls and VPNs are attractive targets for hackers to gain a foothold within organisations, with attacks often hard to detect.

Last week, Fortinet issued a warning about a critical vulnerability CVE-2023-25610 affecting FortiOS and web proxy FortiProxy, which could enable an unauthorised remote attacker to execute arbitrary code or initiate a denial of service (DoS) attack.

A little earlier, security researchers published a proof-of-concept (PoC) exploit for a different critical vulnerability (CVE-2022-39952) found in Fortinet's FortiNAC network access control suite.

The frequency at which vulnerabilities are discovered and exploits emerge underlines the importance of upgrading or patching systems within the shortest possible timeframe.