Getty Images/iStockphoto

Threat activity increasing around Fortinet VPN vulnerability

Following public disclosure of the critical VPN flaw in December, multiple reports show threat actors are exploiting it to target high-profile organizations.

Exploitation activity is ramping up against a Fortinet SSL-VPN vulnerability, according to several reports.

In December, Fortinet disclosed that a critical flaw, tracked as CVE-2022-42475, had been exploited in the wild in at least one instance. They recommended that users immediately upgrade to the latest patched versions. The remote code execution vulnerability ranked a 9.8 on the Common Vulnerability Scoring System and affected FortiOS through the SSL VPN service.

Now multiple threat intelligence reports, including one from Fortinet, showed increased activity from threat actors. That activity includes a sharp rise in brute force attack attempts against Fortinet VPN accounts as well as a new malware specifically designed to exploit CVE-2022-42475.

In early January, Fortinet provided extended research into the exploitation with multiple additional IoCs it uncovered related to the critical flaw. Most notably, the analysis revealed potentially prominent victims.

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers wrote in the blog post.

The blog post also noted several examples of this complexity, including a strong comprehension of FortiOS, the underlying hardware and the use of custom implants that allowed threat actors to reverse-engineer various parts of the operating system. Time stamps and signed certificates showed activity could be linked to China, Russia, Australia, Singapore and other Eastern Asian countries.

Connection to China

Fortinet wasn't the only vendor to observe a potential link to Chinese threat actors.

A blog post by Mandiant researchers on Jan. 19 detailed a "suspected China-nexus campaign" that utilized a new malware it named BOLDMOVE, specifically built to exploit CVE-2022-42475. The researchers uncovered evidence that exploitation occurred as early as October 2022 when the flaw was still a zero day and had not been publicly disclosed.

Under attribution, Mandiant said it assessed with "low confidence that this operation has a nexus to the People's Republic of China." However, the cybersecurity vendor has observed a pattern of China exploiting internet-facing devices followed by custom implants. Those attack steps align with Fortinet's investigation as well.

"We have uncovered a Windows variant of BOLDMOVE and a Linux variant which is specifically designed to run on FortiGate Firewalls," the researchers wrote in the blog post. "We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups."

In an email to TechTarget Editorial, Fortinet said it is aware of further research that has been published, identifying malware believed to have been developed specifically for exploiting CVE-2022-42475.

Additionally, Mandiant warned enterprises that internet exposed devices such as firewalls and IPS devices are popular targets and emphasized the importance of keeping them patched and updated. Because they are accessible to the internet, exploitation requires no user interaction.

"This allows the attacker to control the timing of the operation and can decrease the chances of detection," Mandiant researchers wrote in the blog.

Another cybersecurity vendor also observed threat activity against the VPN vulnerability. While GreyNoise has not observed exploitation of the flaw, it did detect large-scale, internet-wide brute force attack attempts against Fortinet's SSL VPN.

On Tuesday, the GreyNoise research team published its findings on a significant spike in those attempts, despite the flaw's ability to be exploited by an unauthenticated attacker. The team observed the increase beginning on Dec. 29, nearly three weeks after Fortinet disclosed the zero-day vulnerability.

Additionally, GreyNoise noted there is no publicly available proof of concept exploit.

In an email to TechTarget Editorial, GreyNoise emphasized that while it hasn't observed direction exploitation of CVE-2022-42475, organizations should take note of the brute force activity against the VPN.

"Both takeaways have importance for defenders, but usage of weak credentials continues to pose significant risk to organizations. Ensuring security baselines, such as strong passwords, will remain important even in the face of 0-day related activity in the same product."

Next Steps

Fortinet warns critical VPN vulnerability 'may' be under attack

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing