Fortinet says unknown attackers exploited a patched FortiOS SSL-VPN vulnerability last month in attacks against government organizations and government-related targets.

The security flaw (CVE-2022-42475) abused in these incidents is a heap-based buffer overflow weakness found in FortiOS SSLVPNd that allowed unauthenticated attackers to remotely crash targeted devices or achieve remote code execution.

network security company urged customers in mid-December to patch their devices against ongoing attacks exploiting this vulnerability after quietly patching the bug on November 28 in FortiOS 7.2. ).

Customers were privately alerted to this issue on December 7 via a TLP:Amber advisory. More information was made public on December 12, including a warning that the bug was being actively exploited in attacks.

“Fortinet is aware of one instance where this vulnerability has been exploited in the wild,” the company said at the time, recommending administrators immediately check their systems against a list of shared indicators of compromise. in this opinion.

This Wednesday, Fortinet released a follow-up report revealing that attackers were using exploits CVE-2022-42475 to compromise FortiOS SSL-VPN appliances to deploy malware deployed as a trojanized version of the IPS engine.

Zero-day used to target government networks

The company said the threat actor’s attacks were highly targeted, with evidence found during analysis showing a focus on government networks.

“The complexity of the exploit suggests an advanced actor and that it is heavily targeted at government or government-related targets,” Fortinet said. said.

“The discovered Windows sample attributed to the attacker displayed artifacts that were compiled on a machine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other Asian countries from ballast.”

Attackers have focused heavily on maintaining persistence and avoiding detection by using the vulnerability to install malware that fixes FortiOS logging processes so that specific log entries can be deleted, or even kill logging processes if necessary.

Additional payloads downloaded to compromised appliances revealed that the malware also violated the compromised devices’ Intrusion Prevention System (IPS) functionality, which is designed to detect threats by continuously monitoring network traffic to block attempted breaches. of security.

“Malware fixes logging processes of FortiOS to manipulate logs to evade detection,” Fortinet said.

“The malware can manipulate log files. It looks for elog files, which are event logs in FortiOS. After decompressing them into memory, it looks for an attacker-specified string, deletes it, and rebuilds the logs. “

Fortinet warned that other malicious payloads were downloaded from a remote site during attacks, but could not be retrieved for analysis.

The company concluded that the threat actor behind last month’s CVE-2022-42475 exploit exhibits “advanced capabilities,” including the ability to reverse engineer parts of the FortiOS operating system.

He also advised customers to immediately upgrade to a patched version of FortiOS to block attack attempts and to contact Fortinet Support if they find any indicators of compromise related to the December attacks.