Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.
Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups.
On December 12, 2022, Fortinet released a PSIRT Advisory and notified customers regarding CVE-2022-42475
China Continues to Focus on Network Devices
This incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPSIDS appliances etc.). These devices are attractive targets for multiple reasons. First, they are accessible to the internet, and if the attacker has an exploit, they can gain access to a network without requiring any victim interaction. This allows the attacker to control the timing of the operation and can decrease the chances of detection.
The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats. Malware running on an internet-connected device can enable lateral movement further into a network and enable command and control (C2) by tunneling commands in and data out of a network.
It is important to note that many of these types of devices do not offer a simple mechanism to view which processes are running on the device’s operating systems. These devices are typically intended to inspect network traffic, searching for anomalies as well as signs of malicious behavior, but are often not inherently protected themselves.
- Managed devices may provide only a limited admin interface that allows configuration and viewing/collection of logs
- Managed devices may not allow for additional security products, such as Endpoint Detection and Response (EDR) to be installed
- Access to core security features may be limited to the device manufacturer
Previous examples of public reporting by Mandiant and others on operations targeting these devices are here:
BOLDMOVE Backdoor
In December 2022, Mandiant identified the BOLDMOVE backdoor associated with the exploitation of CVE-2022-49475 FortiOS vulnerability. BOLDMOVE is written in C and has both Windows and Linux variants, the latter of which is intended to run (at least in part) on Fortinet devices as it reads data from a file proprietary to Fortinet.
Mandiant has not directly observed exploitation of the vulnerability; however, samples of the BOLDMOVE Linux variant have a hard coded C2 IP address that were listed by Fortinet as being involved in the exploitation, suggesting CVE-2022-49475 was exploited to deliver BOLDMOVE. In addition to the Linux variant, Mandiant also revealed a Windows version. Windows versions of BOLDMOVE appear to have been compiled as early as 2021. However, Mandiant has not seen this malware in use in the wild so it is uncertain how it was used. In-depth analysis of the malware is provided later in this post.
Attribution
We assess with low confidence that this operation has a nexus to the People’s Republic of China. China-nexus clusters have historically shown significant interest in targeting networking devices and manipulating the operating system or underlying software which supports these devices. In addition, the geographical and sector targeting is consistent with previous Chinese operations.
- Limited technical indicators point to the development of the malware as having been compiled on a machine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries, and on a machine configured to display Chinese characters.
- A host survey buffer which is used by the Windows variant of BOLDMOVE in order to provide the C2 with information on the infected host starts with the string “gbk”. The comparable survey buffer of the Linux variant starts with “utf-8”, which indicates that this field designates character encoding. If we are to consider “gbk” in this context, then this is an extension of a Chinese character set
- The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices.
Mandiant has previously reported on significant campaigns impacting networking devices, likely revealing a long-standing interest by China to embed cyber campaigns in the overarching telecommunications and networking architecture used by organizations worldwide:
- In April 2021, Mandiant reported extensively on the exploitation of Pulse Secure. Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.
- In March 2021, Mandiant identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. Mandiant’s investigations informed us that the adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.
Outlook
Mandiant has produced in depth reporting on the growing number of managed, internet-facing and connected devices targeted by Chinese threat actors. This latest campaign may be a continuation of a long-standing practice by China-nexus cyber espionage actors. This campaign and infection vector also should be strong reminders of the importance of keeping up with updates and patches, of externally facing devices or those exposed to the internet.
This campaign, and other similar campaigns, offer defenders a unique look into the vulnerabilities and gaps many organizations constantly face when services and networks are managed remotely. Given their configuration, it is very hard to measure the scope and extent of malicious activity that results from exploiting internet facing network devices, as we have little to no information that can indicate those devices are compromised.
There is no mechanism to detect malicious processes running on such devices, nor telemetry to proactively hunt for malicious images deployed on them following an exploitation of a vulnerability. This makes network devices a blind spot for security practitioners and allows attackers to hide in them and maintain stealth for long periods, while also using them to gain foothold in a targeted network.
BOLDMOVE Linux Analysis
BOLDMOVE is a fully featured backdoor written in C and compiled with GCC 11.2.1. When executed it performs a system survey and is capable of receiving commands from a C2 server that in turn allow attackers to control the file system, spawn a remote shell, or relay traffic via the infected host.
Based on indicators from the original Fortinet advisory, Mandiant was able to identify multiple Linux versions of BOLDMOVE. There are a core set of features across all observed instances of BOLDMOVE, Windows and Linux, and at least one Linux sample contained extended capabilities enabling it to alter specific behaviors and functionality of Fortinet devices, namely FortiGate Firewalls.
Core Features
Upon execution, BOLDMOVE attempts to form a session with a hard-coded C2 server. Once it is established, it performs a system survey to collect information that identifies the infected machine to the C2. Information collected is outlined in Table 1.
Index | Field Value |
0 | Encoding used for the strings in the survey buffer: utf-8 |
1 | Hard-coded string that seemingly identifies the sample or campaign, e.g., “Cora/c” |
2 | OS version string. For Linux-based operating systems this string has the format “Linux []”, wherein the various fields are obtained from a call to the uname function. For non-Linux operating systems this string has the format []. The substring is being constructed by reading data from one of the files /etc/system-release, /etc/os-release (looking for the values of the NAME= and VERSION= keys),/migadmin/ng/vpn/map/pkginfo.json (looking for the value enclosed by the strings ver_s”:” and “,”chksum), /etc/debian_version. |
3 | Host name |
4 | Comma-separated list of / entries that represent network interfaces on the host |
5 | The effective user ID of the backdoor’s process (result of geteuid()) |
6 | The process ID of the backdoor’s process |
7 | String of the format cwd=rnexecutable=rnevent=wvrnserver=139.180.128.142:443rn/proc/version= |
Table 1: System Survey
Subsequently, the C2 may send commands for execution that allow attackers to control the infected device. Command codes across platforms and versions of BOLDMOVE may vary but their core capabilities do not appear to change and include:
Major Command Code | Minor Command Code | Command |
0x0 | 0x0 | Frees all resources and terminates the backdoor |
0x11 | 0x21 | Lists information on all files in the system recursively, starting from the root directory. In addition to the file’s path, the information provided for each file is based on output of the stat function and includes the following fields of the stat structure (details on it can be found here): st_mode, st_size, st_mtim.tv_sec, st_uid, st_gid. |
0x11 | 0x0 | Lists information on files recursively, starting from a given directory |
0x12 | 0x0 | Creates new directory via mkdir |
0x13 | 0x0 | Removes a directory via rmdir |
0x14 | 0x10 | Given an attacker provided file path, removes an existing file (if such exists) and creates a new file instead |
0x14 | 0x21 | Closes a file descriptor that was opened for writing |
0x14 | 0x32 | Writes data to the created file |
0x15 | 0x10 | Gets a file’s size before reading from it |
0x15 | 0x21 | Closes a file descriptor that was opened for reading |
0x15 | 0x40 | Reads data from a formerly opened file |
0x20 | 0x0 | Executes a shell command and sends back the output |
0x20 | 0x33 | Executes a shell command without sending back an output |
0x21 | 0x10, 0x21, 0x43, 0x44, 0x45 | Creates an interactive shell that leverages two pipes—one for processing shell input from the server and another for sending back shell outputs, thus supporting an asynchronous session between the C2 and the infected host. The various subcommands handle actions involved in forming and maintaining the shell session |
0x22 | 0x10, 0x21, 0x32,0x33 | Creates an interactive shell that leverages a single pipe for both passing server sourced inputs to the shell and retrieving command outputs from it. The formed shell works in a synchronous mode, wherein the pipe can be either probed to retrieve shell output or written with input data in each access to it. The various subcommands handle actions involved in forming and maintaining the shell session |
0x30 | 0x15, 0x16, 0x17, 0x18 | Initiates a network traffic relay session. The C2 sends a target address as an argument and further packets passed through sub-commands of this command are used to pass data back and forth to and from the target server |
0x53 | 0x10 | Deletes the backdoor’s image and creates a new one with the same name as preparation for writing an updated backdoor image |
0x53 | 0x21 | Closes the file descriptor opened for writing a backdoor image update |
0x53 | 0x32 | Writes data sent from the C2 server to the formerly opened file descriptor that corresponds to the updated backdoor image |
0x54 | 0x0 | Spawns a new process of the backdoor with the argument 1, which would in turn attempt to execute an image with that name. The purpose of this action is unclear. |
0x55 | 0x0 | Same as command 0x54 |
0x56 | 0x0 | Serves as an echo command; receives a command packet from the server and replies back with a packet that has the same major command code and blank body. Possibly used to check the infected host’s connectivitystate. |
Table 2: Supported commands
The Linux iteration of BOLDMOVE leverages several statically compiled libraries to implement its functionality:
- An undetermined and likely custom library used for event handling (reminiscent of libevent). It operates in a single-threaded mode, wherein each action is scheduled and executed as an event callback. It may allude to the fact that the developers aimed for supporting the infection of single core devices, among others.
- WolfSSL (also compiled in a single-threaded mode), which facilitates SSL encrypted communication to the C2 server.
- Musl libc
Upon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command line argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a new process.
Prior to starting the backdoor’s logic, the malware calls the signal function in order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE.
Extended Features
The extended version of BOLDMOVE (MD5: 3191cb2e06e9a30792309813793f78b6) contains all the aforementioned functionality but with additional features.
The extended version contains Execution Guardrails (T1480) by verifying that it is executing from a specific path. It accomplishes this in the following manner:
- Retrieving its own path from
/proc/self/exe
- Obtaining an inode from this resultant path via fstatat
- Obtain a secondary inode from the statically defined path
/bin/wxd
- Comparing these two inode records
Source: https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw