Site icon The Stack

Fortinet exploits: Attackers tampered with firewall firmware

Person walking on fire, Ubud, Indonesia. Original public domain image from Wikimedia Commons

Attackers targeting government secrets tampered with the firmware of Fortinet’s FortiGate firewall devices in a series of sophisticated attacks, the security vendor has warned, sharing IOCs in the wake of the incident.

The unknown attackers modified the device firmware image (/sbin/init) to launch a persistent payload (/bin/fgfm) before the boot process began that allowed them to download and write files, open remote shells and exfiltrate data after attacks that began with the exploitation of CVE-2022-41328, which affects FortiOS.

The following versions are affected Fortinet said in its advisory.

The Fgfm malware scrutinizes ICMP packets, said Fortinet: “Whenever an ICMP packet contains the string “;7(Zu9YTsA7qQ#vm”, it knows it’s a ping from the attacker and must extract an IP address from the packet. Once that’s done, it establishes a connection back to that address… which acts as a C&C server. It can then perform various actions depending on the commands it receives from the C&C server.”

See also: Firmware security in the spotlight after novel ransomware attacks

Fortinet’s investigation was prompted by a sudden system halt and subsequent boot failure of multiple FortiGate devices of a customer, it said, with affected devices left showing the following error message.

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

“The attack is highly targeted, with some hints of preferred governmental or government-related targets,” the company said, adding that the exploits required a “deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS” it added, calling for Fortinet customers to rapidly patch to a protected version.

Fortinet exploits: Indicators of Compromise



File Hashes

Follow The Stack on LinkedIn

Exit mobile version