Fortinet exploits: Attackers tampered with firewall firmware

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed” suggests compromises.

Attackers targeting government secrets tampered with the firmware of Fortinet’s FortiGate firewall devices in a series of sophisticated attacks, the security vendor has warned, sharing IOCs in the wake of the incident.

The unknown attackers modified the device firmware image (/sbin/init) to launch a persistent payload (/bin/fgfm) before the boot process began that allowed them to download and write files, open remote shells and exfiltrate data after attacks that began with the exploitation of CVE-2022-41328, which affects FortiOS.

The following versions are affected Fortinet said in its advisory.

  • FortiOS version 7.2.0 through 7.2.3
  • FortiOS version 7.0.0 through 7.0.9
  • FortiOS version 6.4.0 through 6.4.11
  • FortiOS 6.2 all versions
  • FortiOS 6.0 all versions

The Fgfm malware scrutinizes ICMP packets, said Fortinet: “Whenever an ICMP packet contains the string “;7(Zu9YTsA7qQ#vm”, it knows it’s a ping from the attacker and must extract an IP address from the packet. Once that’s done, it establishes a connection back to that address… which acts as a C&C server. It can then perform various actions depending on the commands it receives from the C&C server.”

See also: Firmware security in the spotlight after novel ransomware attacks

Fortinet’s investigation was prompted by a sudden system halt and subsequent boot failure of multiple FortiGate devices of a customer, it said, with affected devices left showing the following error message.

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

"The attack is highly targeted, with some hints of preferred governmental or government-related targets," the company said, adding that the exploits required a “deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS” it added, calling for Fortinet customers to rapidly patch to a protected version.

Fortinet exploits: Indicators of Compromise

System/Logs

  • String “execute wireless-controller hs20-icon upload-icon”
  • String “User FortiManager_Access via fgfmd upload and run script”

Network

  • 47.252.20.90

File Hashes

  • Auth - b6e92149efaf78e9ce7552297505b9d5
  • Klogd - 53a69adac914808eced2bf8155a7512d
  • Support - 9ce2459168cf4b5af494776a70e0feda
  • Smit - e3f342c212bb8a0a56f63490bf00ca0c
  • Localnet - 88711ebc99e1390f1ce2f42a6de0654d
  • Urls.py - 64bdf7a631bc76b01b985f1d46b35ea6
  • Views.py - 3e43511c4f7f551290292394c4e21de7
  • Fgfm - e2d2884869f48f40b32fb27cc3bdefff

Follow The Stack on LinkedIn