"Chinese Hackers Used Recently Patched FortiOS SSL-VPN Flaw as a Zero-Day in October"
Researchers from Mandiant reported that Chinese threat actors exploited the recently patched FortiOS SSL-VPN flaw, CVE-2022-42475, as a zero-day. According to the security company, the vulnerability was used in attacks against multiple targets, including an African Managed Service Provider (MSP) and a European government organization. The attacks began as early as October 2022, and Fortinet fixed the vulnerability in December. The evidence acquired by the researchers suggests that the attacks are a part of Chinese cyber espionage operations. A remote, unauthenticated attacker could exploit the vulnerability in FortiOS SSL-VPN to execute arbitrary code on devices. The vulnerability is a heap-based buffer overflow in FortiOS sslvpnd. It allowed unauthenticated attackers to remotely crash devices or perform Remote Code Execution (RCE). Mandiant revealed the discovery of a new malware strain dubbed 'BOLDMOVE' They identified Windows and Linux variants of BOLDMOVE, the latter of which was built to target FortiGate Firewalls. This article continues to discuss findings and observations of Chinese threat actors exploiting the recently patched CVE-2022-42475 vulnerability in FortiOS SSL-VPN.