Alleged Chinese Threat Actors Developing Fortinet Zero-Day Exploit for New “BOLDMOVE” Malware Campaign Targeting European and African Organizations

Mandiant reported preparations for a campaign leveraging CVE-2022-42475, a vulnerability in Fortinet's FortiOS SSL-VPN, to target organizations in Europe and Africa with a new malware dubbed “BOLDMOVE.”
zero day image

Context

On January 19, 2023, Mandiant security researchers published the technical details of malware campaign preparations they’ve reportedly observed since October 2022.

Two key points should be noted regarding Mandiant’s assessment:

  1. Mandiant has not directly observed exploitation of the vulnerability, or deployment of BOLDMOVE in the wild.
  2. Mandiant researchers assess with low confidence that the campaign is related to an unspecified Chinese cyber espionage group based on: timing of development, characters in host survey buffers, and the common tactic of exploiting zero-days in network devices.

Technical Details

According to the National Vulnerability Database from NIST, CVE-2022-42475 has a severity score of 9.8 CRITICAL and is “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.”

According to Mandiant researchers, the campaign delivered a new backdoor malware they named “BOLDMOVE.” Mandiant identified both Linux and Windows variants of BOLDMOVE but has not observed the malware in the wild.

IOCs

Mandiant researchers provided the following indicators of compromise (IOCs):

IndicatorTypeNotes
12e28c14bb7f7b9513a02e5857592ad7MD5Basic BOLDMOVE

3da407c1a30d810aaff9a04dfc1ef58610
62ebdf0e6d0f6823ca682ca08c37da

SHA256Basic BOLDMOVE
3191cb2e06e9a30792309813793f78b6MD5Extended BOLDMOVE

0184e3d3dd8f4778d192d07e2caf442111
41a570d45bb47a87894c68ebebeabb

SHA256Extended BOLDMOVE
54bbea35b095ddfe9740df97b693627bMD5Windows version of BOLDMOVE
61aae0e18c41ec4f610676680d26f6c6e1d
4d5aa4e5092e40915fe806b679cd4
SHA256Windows version of BOLDMOVE

More Recent Blog Posts