Context
On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022.
Two key points should be noted regarding Mandiant’s assessment:
- Mandiant has not directly observed exploitation of the vulnerability, or deployment of BOLDMOVE in the wild.
- Mandiant researchers assess with low confidence that the campaign is related to an unspecified Chinese cyber espionage group based on: timing of development, characters in host survey buffers, and the common tactic of exploiting zero-days in network devices.
Technical Details
According to the National Vulnerability Database from NIST, CVE-2022-42475 has a severity score of 9.8 CRITICAL and is “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”
According to Mandiant researchers, the campaign delivered a new backdoor malware they named “BOLDMOVE.” Mandiant identified both Linux and Windows variants of BOLDMOVE but has not observed the malware in the wild.
IOCs
Mandiant researchers provided the following indicators of compromise (IOCs):
| Indicator | Type | Notes |
| 12e28c14bb7f7b9513a02e5857592ad7 | MD5 | Basic BOLDMOVE |
3da407c1a30d810aaff9a04dfc1ef58610 | SHA256 | Basic BOLDMOVE |
| 3191cb2e06e9a30792309813793f78b6 | MD5 | Extended BOLDMOVE |
0184e3d3dd8f4778d192d07e2caf442111 | SHA256 | Extended BOLDMOVE |
| 54bbea35b095ddfe9740df97b693627b | MD5 | Windows version of BOLDMOVE |
| 61aae0e18c41ec4f610676680d26f6c6e1d 4d5aa4e5092e40915fe806b679cd4 | SHA256 | Windows version of BOLDMOVE |
