On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022.
Two key points should be noted regarding Mandiant’s assessment:
- Mandiant has not directly observed exploitation of the vulnerability, or deployment of BOLDMOVE in the wild.
- Mandiant researchers assess with low confidence that the campaign is related to an unspecified Chinese cyber espionage group based on: timing of development, characters in host survey buffers, and the common tactic of exploiting zero-days in network devices.
According to the National Vulnerability Database from NIST, CVE-2022-42475 has a severity score of 9.8 CRITICAL and is “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”
According to Mandiant researchers, the campaign delivered a new backdoor malware they named “BOLDMOVE.” Mandiant identified both Linux and Windows variants of BOLDMOVE but has not observed the malware in the wild.
Mandiant researchers provided the following indicators of compromise (IOCs):
|54bbea35b095ddfe9740df97b693627b||MD5||Windows version of BOLDMOVE|
|SHA256||Windows version of BOLDMOVE|