In December, network security provider Fortinet revealed that a critical vulnerability in its FortiOS operating system was being exploited by attackers in the wild. This week, after further analysis, the company published more details about the implantation of sophisticated malicious software that the same attackers deployed using the flaw.
Based on currently available information, the original zero-day attack was highly targeted at government-related entities. However, since the vulnerability has been known for over a month, all customers should patch it as soon as possible because more attackers could start using it.
Remote code execution on FortiOS SSL-VPN
The vulnerability, tracked as CVE-2022-42475, is in the SSL-VPN functionality of FortiOS and can be exploited by unauthenticated remote attackers. A successful exploit can result in the execution of arbitrary code and commands.
Fortinet rated the vulnerability 9.3 (critical) on the CVSS scale and released updates to major versions of FortiOS, FortiOS-6K7K and FortiProxy, the company’s secure web gateway product. FortiOS runs on the company’s FortiGate network security walls and other devices.
One workaround for customers who cannot deploy the updates immediately is to completely disable SSL-VPN, which may be difficult for organizations that rely on this functionality to support their remote or hybrid work environments. Fortinet also released an IPS (Intrusion Prevention System) signature to detect exploit attempts, as well as detection rules for the known graft in its antivirus engine.
Customers can also look in their logs for the following entries that could indicate exploit attempts:
Logdesc="Application crashed" and msg="[...] application:sslvpnd,[...], Signal 11 received, Backtrace: [...]”
Cloaking an implant as a trojan version of the FortiOS IPS Engine
In an attack analyzed by Fortinet, attackers exploited the vulnerability and copied a trojan version of the FortiOS IPS Engine to the file system. This indicates that the attackers are highly skilled and capable of reverse engineering custom FortiOS components.
The rogue version of IPS Engine was saved in the file system named /data/lib/libips.bak and is a copy of the legitimate /data/lib/libips.so but with malicious modifications. That is, the rogue version exports two legitimate functions called ips_so_patch_urldb and ips_so_query_interface that are normally part of the legitimate libips.so, but hijacks them to run code stored in other malicious components.
“If libps.bak is called libips.so in the /data/lib directory, the malicious code will be executed automatically when FortiOS components call these exported functions,” the Fortinet analysts said. “The binary doesn’t try to revert to the clean IPS engine code, so IPS functionality is also compromised.”
In other words, once the malicious version is executed, the legitimate IPS functionality no longer functions properly. The hijacked functions execute malicious code that reads and writes to several files called libiptcp.so, libgif.so, .sslvpnconfigbk and libipudp.so.
The analysts were unable to recover all of these files from the compromised device they analyzed, so the full attack chain is unknown. However, they did find a file called wxd.conf whose contents are similar to the configuration file for an open source reverse proxy that can be used to expose a system behind a NAT to the Internet.
Analysis of network packet captures from the device revealed that the malware connected two external servers controlled by attackers to offload and execute additional commands. One of the servers was still running and had a folder containing binaries built specifically for different FortiGate hardware versions. This allowed researchers to analyze additional files that they believed the attackers executed on the systems to manipulate logging functionality in FortiOS.
According to the researchers:
- The malware modifies the FortiOS logging processes to manipulate logs to evade detection. – /bin/miglogd & /bin/syslogd.
- It includes offsets and codes for 27 FortiGate models and version pairs. The malware opens a handle to the processes and injects data into them.
- The versions range from 6.0.5 to 7.2.1.
- The models are FG100F, FG101F, FG200D, FG200E, FG201F, FG240D, FG3H0E, FG5H0E, FG6H1E, FG800D, FGT5HD, FGT60F, FGT80F.
- The malware can manipulate log files. It looks for elog files, which are event logs in FortiOS. After decomposing them in memory, it looks for a string that the attacker specifies, deletes it, and rebuilds the logs.
- The malware can also kill registry processes.
The researchers also found an example in VirusTotal’s online scanner of a Windows binary that has similarities to the Linux binary found in FortiOS. This Windows sample was installed on a machine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other East Asian countries. The self-signed certificates used by the attackers were also generated between 3 and 8 AM UTC. “It is difficult to draw any conclusions from this that hackers are not necessarily operating during office hours and will often operate during the victim’s office hours to help obscure their activity with general network traffic,” the researchers said.
Fortinet’s advisory contains many indicators of compromise, including file paths, file hashes, IP addresses, and even signatures to identify malicious communications by embedding it within network packet capture.
Copyright © 2023 IDG Communications, Inc.
