Hackers actively target government organizations with malware and Trojans, using known vulnerabilities in Fortinet VPN (Opens in a new tab) hardware.
This is according to Fortinet itself, which posted a security warning earlier this week, urging users to deploy the patch immediately. The flaw is tracked as CVE-2022-42475, and is described as a heap-based buffer overrun in FortiOS SSLVPN. Allows abusers to disable a compromised endpoint and use it to gain remote code execution (RCE) capabilities.
The patch has been available since late November last year. FortiOS 7.2.3 fixes the issue.
Highly targeted attacks
This isn’t the first time Fortinet has urged users to apply this specific patch – it also issued a warning in mid-December 2022. This time, Fortinet warned its customers that the flaw was being used to spread a Trojan version of the PIS engine.
“The sophistication of the exploit indicates an advanced actor and is highly targeted at governmental or government-related objectives,” the warning states. “The detected Windows sample attributed to the attacker displayed artifacts compiled on a machine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other East Asian countries.”
Threat actors go to great lengths to make sure they remain hidden, after the endpoint is compromised.
Some malware installed on FortiOS patches the registry process, allowing attackers to remove certain registry entries and thus erase any evidence of their existence. Furthermore, they install malware that tamperes with the Intrusion Prevention System (IPS) of the endpoints as well.
“The malware patches FortiOS registry processes to manipulate registries to avoid detection,” Fortinet said. “Malware can manipulate log files. It looks for elog files, which are logs of events in FortiOS. After decompressing them into memory, it looks for a string specified by the attacker, deletes it, and rebuilds the logs.”
The best way to protect your premises from these attacks is to make sure your FortiOS is up to date.
Via: BleepingComputer (Opens in a new tab)