PSIRT Blogs
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.
As mentioned in the advisory, we detected this issue in the wild and were able to collect a sample of the malware along with related network traffic.
The malware was a variant of a generic Linux implant customized for FortiOS. The following information was gathered during the forensic filesystem and binary analysis of the received appliance.
Libips.bak
The suspicious binary was located at /data/lib/libips.bak. This file may be masquerading as a component of Fortinet’s IPS Engine, located at /data/lib/libips.so. The file /data/lib/libips.so was present, but with a zero file size.
Here is an image of the /data/lib directory:
Libgif.so, libips.bak, and libiptcp.so are not part of any FortiOS components or processes.
Libips.bak appears to be a trojanized version of the IPS Engine, typically located at /data/lib/libips.so. A diff comparing libips.bak with a clean libips.so from the same FortiOS build was performed. Up to about the 0x1900 byte mark, the files differ. After that point, the files are identical. Below is a screenshot of libips.bak (top) and the clean libips.so (bottom). libips.bak contains data where libips.so does not.
After the first ~0x1900 bytes, the files are identical.
Libips.bak exports the functions ips_so_patch_urldb and ips_so_query_interface. These are the same exports in the clean IPS engine binary, libips.so. Both exported functions lead to the same malicious code. If libps.bak is named libips.so in the /data/lib directory, the malicious code will be executed automatically as components of FortiOS will call these exported functions. The binary does not attempt to return to the clean IPS engine code, so IPS functionality is also compromised. Below is an example export function that immediately calls the malicious code.
The primary malicious code is shown below.
The malicious code begins by looping through file descriptors from 3 to 255. If it can duplicate the file descriptors, it will close both the duplicate and original descriptors.
Next, it will read from /data/lib/libiptcp.so and write the data to /data/lib/libjepg.so. /data/lib/libjepg.so is renamed as /data/lib/libips.so. fork() and is used multiple times initially as an anti-debugging technique.
It then calls fork() once more. The child process reads from /data/lib/libgif.so and writes that data to /data/lib/libjepg.so. /data/lib/libjepg.so is then renamed as /data/lib/libips.so.
The parent process checks for read access to /var/.sslvpnconfigbk. This file is opened, then closed immediately. Finally, /data/lib/libipudp.so is executed with the argument "/data/lib/libipudp.so".
The files referenced in this code—libiptcp.so, libgif.so, .sslvpnconfigbk, and libipudp.so—could not be recovered.
Wxd.conf
The format of this config file is similar to that of "Fast reverse proxy” found at https://github.com/fatedier/frp. This tool is described as "a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet."
There are records for the server IP address in logs. It sends traffic to the server's ports 80, 443, and 444. Traffic is sent to a server with the address 188[.]34[.]130[.]40.
Network packet captures obtained and analyzed by the FortiGuard Labs Threat Research Team identified suspicious traffic headed to 103[.]131[.]189[.]143. The major findings of this analysis are highlighted below.
Communications with the suspicious IP 103[.]131[.]189[.]143 server served two primary purposes:(1) downloading payloads and (2) receiving and executing commands. Payloads were hosted on 103[.]131[.]189[.]143 using a Python (SimpleHTTP) server listening on port: 30080.
The FortiGuard Labs Threat Research team was unable to recover the payloads because the packet captures were largely truncated or missing.
TCP stream 1894 contained the connection made to 103[.]131[.]189[.]143 listening on port 30443, which was an interactive shell session.
Through our detailed investigation of the PCAPs, an additional IoC was uncovered.
185[.]174[.]136[.]20
The identification of this IoC led to a folder on the server containing binaries built specifically for relevant FortiGate hardware versions.
Using a Yara Rule created by the FortiGuard Threat Research Team, we were able to hunt for similar file samples. This also allowed us to identify the /var/w files that were seen executed in the PCAPs but not obtained directly from the file system.
From the analysis of the collected /var/w files samples, we found that the attacker uses advanced capabilities to manipulate FortiOS logging, as follows:
By emulating the malware's execution, we found a unique string of bytes in its communication with its command & control server that can be used for an IPS signature.
The following network indicators were found as part of the original and supplemental analysis (original IoCs are bolded). For details on how to search on your FortiGate device for evidence of these indicators, see the following Knowledgebase Article.
Presence of the following artifacts in the filesystem:
/data/lib/libips.bak
/data/lib/libgif.so
/data/lib/libiptcp.so
/data/lib/libipudp.so
/data/lib/libjepg.so
/var/.sslvpnconfigbk
/data/etc/wxd.conf
/flash
High Confidence
188[.]34[.]130[.]40 (port 444 observed)
103[.]131[.]189[.]143 (ports 30080,30081,30443,20443 observed)
193[.]36[.]119[.]61 (ports 8443,444 observed)
172[.]247[.]168[.]153 (port 8033 observed)
139[.]180[.]184[.]197
66[.]42[.]91[.]32
158[.]247[.]221[.]101
107[.]148[.]27[.]117
139[.]180[.]128[.]142
155[.]138[.]224[.]122
185[.]174[.]136[.]20
139[.]180[.]184[.]197
66[.]42[.]91[.]32
158[.]247[.]221[.]101
107[.]148[.]27[.]117
139[.]180[.]128[.]142
155[.]138[.]224[.]122
185[.]174[.]136[.]20
45[.]86[.]229[.]220
45[.]86[.]231[.]71
139[.]99[.]35[.]116
139[.]99[.]37[.]119
194[.]62[.]42[.]105
45[.]86[.]231[[.]71
45[.]86[.]229[[.]220
185[.]250[.]149[[.]32
137[.]175[.]30[.]138
146[.]70[.]157[[.]133
Older Actor IPs
156[.]251[.]162[.]76
156[.]251[.]163[.122
156[.]251[.]163[.]19
156[.]251[.]162[.111
Files from /var/w
Hashes of post-exploitation implants—MD5
f68c3f72270800ea675889e82bb02fb8
e3f640d8785c0c864739529889b1863a
08cbaafb176ce6118f7e4e0b2d2d77cf
bdc2d2f5d5246f8956711bcce9f456b6
4548fa6625cb154ab320833186117393
e5d989b651b3eb351e10e408d5a062b3
3191cb2e06e9a30792309813793f78b6
12e28c14bb7f7b9513a02e5857592ad7
ae0839351721db5a9c269fd75dcb57ce
856341349dd954d82b112ba9165c4563
Windows sample found on VT with significant code similarity to the samples found on FortiGates
54bbea35b095ddfe9740df97b693627b
The JA3 for the malware SSL/TLS client connection appears to be unique to the malware and can be used to detect an attack.
bf2b95ac267823f6588b2436bc537b26.
The complexity of the exploit suggests an advanced actor:
Fortinet will continue to track this threat actor activity. To mitigate this issue, we recommend that all customers immediately take the actions recommended in the Critical Advisory, FG-IR-22-398. Additional guidance has been provided here for how to search for the IoCs. Should you identify that your system is showing indicators of compromise, please reach out to Fortinet for support.
Fortinet will continue to monitor this incident and will update this blog with information as it is found.
The Fortinet Antivirus engine detects all binaries discussed in this blog using the following AV signatures:
The WebFiltering client blocks all network-based URIs.
A Fortinet Outbreak Alert Package has been created for FortiAnalyzer to detect and report on all traffic to or from IPs within the IoC range specified and will be included in Outbreak Alert Package DB 1.00083.
https://www.fortiguard.com/updates/outbreak-detection-service?version=1.00083
Details on how to search for these IoCs can be found in the following Fortinet Community Tech Tip:
Fortinet has released an IPS signature to proactively protect our customers from the exploit CVE-2022-42475 and the C&C channel respectively.
FortiOS.SSL-VPN.Heap.Buffer.Overflow
Bakso.Linux.Backdoor