Unknown attackers have used zero-day exploits to abuse a new FortiOS bug patched this month in attacks targeting government and large organizations that resulted in operating system and file corruption and loss of data.

Fortinet released security updates on March 7, 2023 to address this high-severity security vulnerability (CVE-2022-41328) that allowed hackers to execute unauthorized code or commands.

“Improperly limiting a path to a restricted directory vulnerability (“path traversal”) [CWE-22] in FortiOS can allow a privileged attacker to read and write arbitrary files via specially crafted CLI commands,” the company says in the review.

The list of affected products includes FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2.

To fix the security flaw, administrators should upgrade vulnerable products to FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and later.

While the flaw advisory did not mention that the bug was being exploited in the wild before the patches were released, a Fortinet report published last week revealed that CVE-2022-41328 exploits had been used to hack and remove multiple FortiGate firewall devices belonging to one of its customers.

Data-stealing malware

The incident was discovered after the compromised Fortigate devices shut down with the messages “The system is entering error mode due to a FIPS error: Firmware integrity self-test failed” and the reboot.

Fortinet explains that this happens because its FIPS-compliant devices verify the integrity of system components and are configured to automatically shut down and halt startup to block a network breach if a compromise is detected.

These Fortigate firewalls were breached via a FortiManager device on the victim’s network, given that they all shut down simultaneously, were hacked using the same tactic, and the FortiGate path traversal exploit was launched at the same time as the scripts executed via FortiManager.

Subsequent investigation showed that the attackers had modified the device’s firmware image (/sbin/init) to launch a payload (/bin/fgfm) before the boot process began.

This malware allows data exfiltration, file downloading and writing, or opening remote shells upon receiving an ICMP packet containing the string “;7(Zu9YTsA7qQ#vm”.

Zero-day used to attack government networks

Fortinet concluded that the attacks were highly targeted, with some evidence showing that threat actors favored government networks. The attackers also demonstrated “advanced capabilities”, including reverse-engineering parts of the FortiGate devices’ operating system.

“The attack is highly targeted, with some hints of government or government-related targets,” the company said.

“The exploit requires a deep understanding of FortiOS and the underlying hardware. The custom implants show the actor has advanced capabilities, including reverse engineering various parts of FortiOS.”

Fortinet customers are advised to immediately upgrade to a patched version of FortiOS to block potential attack attempts (a list of IOCs is also available here).

In January, Fortinet revealed a series of very similar incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and followed as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities.

Zero-day FortiOS SSL-VPN attacks share many similarities with a Chinese hacking campaign that infected unpatched SonicWall Secure Mobile Access (SMA) devices through cyber espionage malware that survives firmware updates.