Fortinet warns VPN users targeted by critical vulnerability

VPN-illustrasjon
(Image credit: Getty Images)

Hackers are actively targeting government organizations with malware and trojans, using known vulnerabilities in Fortinet VPN appliances. 

This is according to Fortinet itself, which published a security advisory earlier this week, urging users to deploy the patch immediately. The flaw is tracked as CVE-2022-42475, and is described as a heap-based buffer overflow in the FortiOS SSLVPN. It allows abusers to both crash the vulnerable endpoint, and use it to gain remote code execution (RCE) abilities.

The patch has been available since late November last year. FortiOS 7.2.3 fixes the issue.

Highly targeted attacks

This is not the first time Fortinet has urged users to apply this specifc patch - it also issued a warning in mid-December 2022.  This time around, Fortinet warned its customers that the flaw was being used to deploy a trojanized version of the PIS engine. 

"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," the warning reads. "The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries."

threat actors put quite an effort into making sure they stay hidden, after compromising the endpoint. 

Some of the malware installed on FortiOS patches the logging process, allowing attackers to remove specific log entries and thus erase any evidence of their existence. Furthermore, they’ve been installing malware that tampers with the endpoints’ Intrusion Prevention System (IPS) as well.

"The malware patches the logging processes of FortiOS to manipulate logs to evade detection," Fortinet said. "The malware can manipulate log files. It searches for elog files, which are logs of events in FortiOS. After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs."

The best way to protect your premises from these attacks is to make sure your FortiOS is updated. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.