Unknown hackers have recently targeted certain US government networks with a zero-day vulnerability (opens in new tab) found in a Fortinet product.
While the targets or the extent of success are not currently known, there are details available pertaining to the zero-day used in the attack. We also know that it’s been patched in the meantime, with Fortinet urging customers to apply the fix immediately.
According to a BleepingComputer report on the attack, the threat actors abused CVE-2022-41328 – an improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS, which could have allowed a privileged attacker “to read and write arbitrary files via crafted CLI commands,” Fortinet’s advisory reads. In other words, hackers could have executed unauthorized code or commands.
The list of affected products includes FortiOS versions 6.0, 6.2, as well as 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, and FortiOS version 7.2.0 through 7.2.3. Secure versions include 6.4.12 and later, 7.0.10 and later, and 7.2.4 and later.
A week before news of the patch broke, the company released a report in which it said the CVE was used to take down “multiple FortiGate firewall devices” belonging to one of its customers.
According to the company’s analysis, the attacks were “highly targeted”, with the hackers specifically favoring government networks. These threat actors operate with “advanced capabilities”, the researchers said, including reverse-engineering parts of the FortiGate devices’ operating system.
Via: BleepingComputer (opens in new tab)