March 14, 2023Rabbi Lakshmanannetwork security / cyber attack

Government agencies and large organizations are being targeted by unknown attackers who exploit security flaws in Fortinet FortiOS software resulting in data loss, OS and file corruption.

“The complexity of the exploit suggests it is by sophisticated actors and highly targeted against government or government-affiliated targets,” said Fortinet researchers Guillaume Lovet and Alex Kong. I’m here. Said On last week’s recommendations.

The zero-day defect in question is CVE-2022-41328 (CVSS score: 6.5), a moderate security path traversal bug in FortiOS that could lead to the execution of arbitrary code.

Improper Restriction of Pathnames to Restricted Directories Vulnerability (“Path Traversal”) [CWE-22] FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands,” the company notes.

This shortcoming affects FortiOS versions 6.0, 6.2, 6.4.0 – 6.4.11, 7.0.0 – 7.0.9, and 7.2.0 – 7.2.3. The fix is ​​available for versions 6.4.12, 7.0.10, and 7.2.4 respectively.

This disclosure addresses 15 security flaws, including CVE-2022-41328 and a critical heap-based buffer underflow issue (CVE-2023-25610, CVSS score: 9.3) affecting FortiOS and FortiProxy. This was a few days after we released a patch to address it.

According to the Sunnyvale-based company, multiple FortiGate devices owned by an unnamed customer suffered a “sudden system outage followed by boot failure,” indicating an integrity violation.

Fortinet FortiOS

Further analysis of this incident reveals that the attacker modified the device’s firmware image to include a new payload (“/bin/fgfm”) so that it is always launched before the boot process begins. became.

/bin/fgfm malware is designed to establish connections with remote servers to download files, exfiltrate data from compromised hosts, and allow remote shell access.

Additional modifications introduced to the firmware allegedly gave the attackers persistent access and control, and even allowed them to disable firmware verification at boot time.


Discover the hidden dangers of third-party SaaS apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.

reserve a seat

Fortinet said the attack was highly targeted and had evidence pointing to a government or government-affiliated entity.

Given the complexity of the exploit, we believe the attackers had a “deep understanding of FortiOS and its underlying hardware” and advanced capabilities to reverse engineer various aspects of the FortiOS operating system. .

Whether the threat actor is connected to another set of intrusions that were observed to weaponize the FortiOS SSL-VPN flaw (CVE-2022-42475) and deploy Linux implants in January of this year remains to be seen soon. don’t understand.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog