Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet's FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.

Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux variant, which is specifically designed to run on FortiGate Firewalls. We believe that this is the latest in a series of Chinese cyber espionage operations that have targeted internet-facing devices and we anticipate this tactic will continue to be the intrusion vector of choice for well-resourced Chinese groups.

On December 12, 2022, Fortinet released a PSIRT Advisory and notified customers regarding CVE-2022-42475

• Fortinet issued instructions on how to search for Indicators of Compromise
• Fortinet provided additional details including IoCs from subsequent research.

China Continues to Focus on Network Devices

This incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes (e.g., firewalls, IPS\IDS appliances etc.). These devices are attractive targets for multiple reasons. First, they are accessible to the internet, and if the attacker has an exploit, they can gain access to a network without requiring any victim interaction. This allows the attacker to control the timing of the operation and can decrease the chances of detection.

The exploits required to compromise these devices can be resource intensive to develop, and thus they are most often used in operations against hardened and high priority targets; often in the government and defense sectors. With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats. Malware running on an internet-connected device can enable lateral movement further into a network and enable command and control (C2) by tunneling commands in and data out of a network.

It is important to note that many of these types of devices do not offer a simple mechanism to view which processes are running on the device’s operating systems. These devices are typically intended to inspect network traffic, searching for anomalies as well as signs of malicious behavior, but are often not inherently protected themselves.

• Managed devices may provide only a limited admin interface that allows configuration and viewing/collection of logs
• Managed devices may not allow for additional security products, such as Endpoint Detection and Response (EDR) to be installed
• Access to core security features may be limited to the device manufacturer

Previous examples of public reporting by Mandiant and others on operations targeting these devices are here:

• Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day  
• NSA | APT5: Citrix ADC Threat Hunting Guidance 
• Suspected Chinese Activity Exploiting Zero-Day Vulnerability, Leverages New Malware Designed for Internet-Facing Devices
• Zero-Days Exploit in SonicWall Email Security Lead to Enterprise Compromise

BOLDMOVE Backdoor

In December 2022, Mandiant identified the BOLDMOVE backdoor associated with the exploitation of CVE-2022-49475 FortiOS vulnerability. BOLDMOVE is written in C and has both Windows and Linux variants, the latter of which is intended to run (at least in part) on Fortinet devices as it reads data from a file proprietary to Fortinet.

Mandiant has not directly observed exploitation of the vulnerability; however, samples of the BOLDMOVE Linux variant have a hard coded C2 IP address that were listed by Fortinet as being involved in the exploitation, suggesting CVE-2022-49475 was exploited to deliver BOLDMOVE. In addition to the Linux variant, Mandiant also revealed a Windows version. Windows versions of BOLDMOVE appear to have been compiled as early as 2021. However, Mandiant has not seen this malware in use in the wild so it is uncertain how it was used. In-depth analysis of the malware is provided later in this post.

Attribution

We assess with low confidence that this operation has a nexus to the People’s Republic of China. China-nexus clusters have historically shown significant interest in targeting networking devices and manipulating the operating system or underlying software which supports these devices. In addition, the geographical and sector targeting is consistent with previous Chinese operations.

• Limited technical indicators point to the development of the malware as having been compiled on a machine in the UTC+8 time zone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries, and on a machine configured to display Chinese characters.
• A host survey buffer which is used by the Windows variant of BOLDMOVE in order to provide the C2 with information on the infected host starts with the string “gbk”. The comparable survey buffer of the Linux variant starts with “utf-8”, which indicates that this field designates character encoding. If we are to consider “gbk” in this context, then this is an extension of a Chinese character set
• The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices.

Mandiant has previously reported on significant campaigns impacting networking devices, likely revealing a long-standing interest by China to embed cyber campaigns in the overarching telecommunications and networking architecture used by organizations worldwide:

• In April 2021, Mandiant reported extensively on the exploitation of Pulse Secure. Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances. 
• In March 2021, Mandiant identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. Mandiant’s investigations informed us that the adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.

Outlook

Mandiant has produced in depth reporting on the growing number of managed, internet-facing and connected devices targeted by Chinese threat actors. This latest campaign may be a continuation of a long-standing practice by China-nexus cyber espionage actors. This campaign and infection vector also should be strong reminders of the importance of keeping up with updates and patches, of externally facing devices or those exposed to the internet.

This campaign, and other similar campaigns, offer defenders a unique look into the vulnerabilities and gaps many organizations constantly face when services and networks are managed remotely. Given their configuration, it is very hard to measure the scope and extent of malicious activity that results from exploiting internet facing network devices, as we have little to no information that can indicate those devices are compromised.

There is no mechanism to detect malicious processes running on such devices, nor telemetry to proactively hunt for malicious images deployed on them following an exploitation of a vulnerability. This makes network devices a blind spot for security practitioners and allows attackers to hide in them and maintain stealth for long periods, while also using them to gain foothold in a targeted network.

BOLDMOVE Linux Analysis

BOLDMOVE is a fully featured backdoor written in C and compiled with GCC 11.2.1. When executed it performs a system survey and is capable of receiving commands from a C2 server that in turn allow attackers to control the file system, spawn a remote shell, or relay traffic via the infected host.

Based on indicators from the original Fortinet advisory, Mandiant was able to identify multiple Linux versions of BOLDMOVE. There are a core set of features across all observed instances of BOLDMOVE, Windows and Linux, and at least one Linux sample contained extended capabilities enabling it to alter specific behaviors and functionality of Fortinet devices, namely FortiGate Firewalls.

Core Features

Upon execution, BOLDMOVE attempts to form a session with a hard-coded C2 server. Once it is established, it performs a system survey to collect information that identifies the infected machine to the C2. Information collected is outlined in Table 1. 

Subsequently, the C2 may send commands for execution that allow attackers to control the infected device. Command codes across platforms and versions of BOLDMOVE may vary but their core capabilities do not appear to change and include:

The Linux iteration of BOLDMOVE leverages several statically compiled libraries to implement its functionality: 

• An undetermined and likely custom library used for event handling (reminiscent of libevent). It operates in a single-threaded mode, wherein each action is scheduled and executed as an event callback. It may allude to the fact that the developers aimed for supporting the infection of single core devices, among others. 
• WolfSSL (also compiled in a single-threaded mode), which facilitates SSL encrypted communication to the C2 server.  
• Musl libc

Upon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command line argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a new process. 

Prior to starting the backdoor's logic, the malware calls the signal function in order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE.

Extended Features

The extended version of BOLDMOVE (MD5: 3191cb2e06e9a30792309813793f78b6) contains all the aforementioned functionality but with additional features.

The extended version contains Execution Guardrails (T1480) by verifying that it is executing from a specific path. It accomplishes this in the following manner:

1. Retrieving its own path from /proc/self/exe
2. Obtaining an inode from this resultant path via fstatat
3. Obtain a secondary inode from the statically defined path /bin/wxd
4. Comparing these two inode records

The extended version contains a command that can perform Indicator Blocking (T1562.006) by disabling Fortinet daemons miglogd and syslogd.It also contains a command enabling it to patch memory address spaces of the same logging daemons. Due to Mandiant being unable to obtain those executables from Fortinet devices, we are unable to accurately determine the nature of those patches. However, Mandiant assesses it is likely that they are intended to disable a logging capability during the backdoor’s run-time. Each patch data is kept in the following struct:

struct st_log_patch_struct

{

    char fortigate_version_name[24];

    __int64 target_addr1;

    __int64 patch_bytes1;

    __int64 target_addr2;

    __int64 patch_bytes2;

}log_patch_struct;

Table 4 in Appendix A summarizes the targeted FortiGate Devices, their corresponding patched addresses, and bytes.

Additionally, the extended version of BOLDMOVE contains a command capable of modifying proprietary Fortinet logs on the system. It checks the following paths:

• /tmp/log
• /var/log/log
• /var/log

For filenames matching the format:

• elog
• offset/elog.ofs
• offset/elog.<index>.cidx

One of BOLDMOVE’s extended variant commands is capable of decompressing, parsing, and overwriting the undocumented structure pertaining to those proprietary log files allowing the attacker to modify chosen parts of the logs.

The extended version contains a Watchdog like feature that may enable the malware to persist across upgrades. To accomplish this, BOLDMOVE monitors two files via the fstatat function:

If the size of these files differs, BOLDMOVE performs the following actions:

• Creates a backup of the legitimate file /data/lib/libips.so stored at /data/lib/libiptcp.so
• Overwrites the legitimate library /data/lib/libips.so with a trojanized version of it located at /data/lib/libgif.so

Thus, if there were to be a system patch that replaced /data/lib/libips.so and the malware was still executing, it would be able to undo the patch and maintain execution.

In addition, the extended version contains a command that allows the attackers to send requests to an internal Fortinet service, possibly to modify device settings or expose internal parts of the associated network to the internet. BOLDMOVE reads the contents of /dev/cmdb/vdom and parses its information to retrieve a numeric value, which may be associated with a virtual domain on the device. Then it creates a connection to “127.0.0.1”, localhost, over an attacker provided port. This suggests that a server is expected to run on that port locally. The command handler facilitates sending attacker-chosen data over the established connection and sending back any retrieved response back to the C2.

Table 3 outlines some of the differences between the Windows and Linux variants of BOLDMOVE that were identified by Mandiant:

The survey and commands are functionally equivalent amongst both Linux and Windows.

Windows and Linux Variant Comparison

Table 3 shows the distinction between the Windows and Linux variants of BOLDMOVE. Most importantly, the Windows variant appears to have been compiled a year before the Linux variants. This discrepancy in time could indicate that the attackers have been developing BOLDMOVE and possibly using it in the wild since that time. The differences may offer insight into the functionality and intended use of the malware.

• There are a few differences in choices of libraries that were statically compiled into each of the variants. While the WolfSSL library was used in Linux in order to encrypt traffic, the Windows variant does not make use of it.  In addition, the Linux version leverages a statically compiled Musl libc library as opposed to standard libc functions imported as a result of compiling the Windows variant with MinGW. The usage of the Musl libc in the Linux variant along with a library that facilitates an event driven communication with the C2 server, could indicate that the Linux version is generally intended to be used on embedded devices, and devices with low processing power.
• Mandiant assesses that the BOLDMOVE Linux variant was deployed on Fortinet devices after a successful exploitation of CVE-2022-42475. However, the method for initial infection from the Windows variant is currently unclear. With that in mind, a private class C IP address (192.168.120[.]206) that was used in the Windows variant could indicate that it was used to communicate with an infected device inside the network following lateral movement or was merely used for testing.

Acknowledgment

Mandiant would like to acknowledge Fortinet’s assistance in sharing information, coordinating, and analyzing Mandiant’s findings to verify its veracity.

Appendix A: Patches

Table of patches made in memory addresses of miglogd and syslogd logging daemons on various FortiGate versions by the extended Linux version of the BOLDMOVE backdoor. Those patches are made seemingly in order to weaken logging mechanisms during the malware’s run-time.

Appendix B: IOCs

• Basic BOLDMOVE
  • MD5: 12e28c14bb7f7b9513a02e5857592ad7
  • SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
• Extended BOLDMOVE
  • MD5: 3191cb2e06e9a30792309813793f78b6
  • SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
• Windows version of BOLDMOVE
  • MD5: 54bbea35b095ddfe9740df97b693627b
  • SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4