FortiOS zero-day vulnerability exploited to attack government networks

Unidentified attackers used new exploits to take advantage of the FortiOS zero-day vulnerability that was patched earlier this month. The attacks target computers with outdated software and primarily target large government organizations around the world. A malicious operation results in damage to the operating system and loss of data.

March 7 company Fortinet released security updates to fix a critical vulnerability under ID CVE-2022-41328 . It allowed attackers to remotely execute unauthorized code on a target system.

The list of vulnerable products includes the following versions of FortiOS: 6.0, 6.2, 6.4.0-6.4.11, 7.0.0-7.0.9, 7.2.0-7.2.3. System administrators need to update vulnerable versions of FortiOS to the latest ones (6.4.12, 7.0.10 and 7.2.4 respectively).

IN company message it is not mentioned that the vulnerability was exploited in the wild (ITW) before the patches were released. However, a Fortinet report published last week showed that exploits for CVE-2022-41328 used to hack and disable multiple firewalls FortiGatebelonging to one of the company’s clients.

Subsequent investigation showed that the attackers modified the device’s firmware image to launch the payload right during system initialization. The malware could also be used to steal data, download and write files, or open remote shells.

Fortinet concluded that the attacks were targeted, with some evidence suggesting that the attackers favored government networks. The attackers also demonstrated “advanced capabilities”, including redesigning parts of the operating system of FortiGate devices.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the attacker has advanced capabilities, including reverse engineering various parts of FortiOS”.

Fortinet customers are advised to immediately upgrade to a patched version of FortiOS to block possible attack attempts.