Attackers targeting government secrets tampered with the firmware of Fortinet’s FortiGate firewall devices in a series of sophisticated attacks, the security vendor has warned, sharing IOCs in the wake of the incident.
The unknown attackers modified the device firmware image (/sbin/init) to launch a persistent payload (/bin/fgfm) before the boot process began that allowed them to download and write files, open remote shells and exfiltrate data after attacks that began with the exploitation of CVE-2022-41328, which affects FortiOS.
The following versions are affected Fortinet said in its advisory.
- FortiOS version 7.2.0 through 7.2.3
- FortiOS version 7.0.0 through 7.0.9
- FortiOS version 6.4.0 through 6.4.11
- FortiOS 6.2 all versions
- FortiOS 6.0 all versions
The Fgfm malware scrutinizes ICMP packets, said Fortinet: “Whenever an ICMP packet contains the string “;7(Zu9YTsA7qQ#vm”, it knows it’s a ping from the attacker and must extract an IP address from the packet. Once that’s done, it establishes a connection back to that address… which acts as a C&C server. It can then perform various actions depending on the commands it receives from the C&C server.”
Fortinet’s investigation was prompted by a sudden system halt and subsequent boot failure of multiple FortiGate devices of a customer, it said, with affected devices left showing the following error message.
“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”
"The attack is highly targeted, with some hints of preferred governmental or government-related targets," the company said, adding that the exploits required a “deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS” it added, calling for Fortinet customers to rapidly patch to a protected version.
Fortinet exploits: Indicators of Compromise
- String “execute wireless-controller hs20-icon upload-icon”
- String “User FortiManager_Access via fgfmd upload and run script”
- Auth - b6e92149efaf78e9ce7552297505b9d5
- Klogd - 53a69adac914808eced2bf8155a7512d
- Support - 9ce2459168cf4b5af494776a70e0feda
- Smit - e3f342c212bb8a0a56f63490bf00ca0c
- Localnet - 88711ebc99e1390f1ce2f42a6de0654d
- Urls.py - 64bdf7a631bc76b01b985f1d46b35ea6
- Views.py - 3e43511c4f7f551290292394c4e21de7
- Fgfm - e2d2884869f48f40b32fb27cc3bdefff