[ad_1]
Beijing [China]Jan. 22 (ANI): Chinese hackers are exploiting zero-day vulnerabilities in network devices and then installing custom implants, The Hacker News reports.
Threat actors with suspected China ties have exploited a recently patched vulnerability in Fortinet’s FortiOS SSL-VPN as a zero-day attack against European government entities and Africa-based managed service providers (MSPs).
Read also | Nikki Haley has been accused of conspiring to become former US President Donald Trump’s vice president.
Mandiant’s latest findings suggest that threat actors managed to exploit the vulnerability as a zero-day exploit and compromised targeted networks for espionage, The Hacker News reported.
“Exploiting a zero-day vulnerability in a network device and then installing a custom implant is consistent with previous Chinese exploits of network devices,” Mandiant noted.
Read also | China rescinds zero COVID-19 policy to drive Tibetans out of Tibet, report says.
Telemetry evidence collected by Google-owned Mandiant suggests that the earliest exploits occurred in October 2022, at least nearly two months before a fix was released.
“This incident continues a pattern of Chinese exploitation of Internet-facing devices, particularly those used for administrative security purposes (e.g., firewalls, IPSIDS devices, etc.),” Mandiant researchers said in a technical note.
The attacks required the use of a sophisticated backdoor called BOLDMOVE, a Linux variant specifically designed to run on Fortinet’s FortiGate firewall, The Hacker News reported.
The intrusion vector in question is related to the exploitation of CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could lead to unauthenticated remote code execution via specially crafted requests.
Earlier this month, Fortinet revealed that unknown hacker groups were exploiting this shortcoming, targeting governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing remote command sent by the server.
“With BOLDMOVE, the attackers not only developed an exploit, but malware that displayed deep knowledge of systems, services, logging, and undocumented proprietary formats,” said threat intelligence firm Mandiant.
Written in C, the malware is said to come in both Windows and Linux flavors, the latter capable of reading data from Fortinet’s proprietary file format. Metadata analysis of variants of the Windows backdoor shows they were compiled as early as 2021, but no samples have yet been detected in the wild, The Hacker News reported.
BOLDMOVE is designed to perform system investigations and is capable of receiving commands from command and control (C2) servers, which in turn allows attackers to perform file operations, spawn remote shells, and relay traffic through infected hosts.
An extended Linux sample of the malware has additional capabilities to disable and manipulate logging in an attempt to avoid detection, corroborating Fortinet’s report.
“Zero-day” is a broad term that describes a recently discovered security hole that hackers can use to attack a system. The term “zero-day” refers to the fact that the vendor or developer has just learned of the flaw — meaning they have “zero-day” to fix it. A zero-day attack occurs when hackers exploit the flaw before developers have had a chance to work around it. Software often has security holes that hackers can exploit to wreak havoc. Software developers are always on the lookout for bugs to be “patched”, that is, to develop solutions that they release in new updates. However, sometimes hackers or malicious actors discover vulnerabilities before software developers. While the vulnerability remains, an attacker can write and implement code to exploit it. This is called exploit code. Vulnerable code can lead to victimization of software users – for example, through identity theft or other forms of cybercrime. (Arnie)
(This is an unedited and auto-generated story from a Syndicated News feed, the content body may not have been modified or edited by LatestLY staff)
[ad_2]
Source link