Unknown hackers recently targeted certain US government networks with a zero-day vulnerability (opens in new tab) found in a Fortinet product.
While the targets or degree of success are not currently known, details are available regarding the zero-day used in the attack. We also know that it has been patched in the meantime, with Fortinet urging customers to apply the fix immediately.
According to a BleepingComputer report on the attack, the threat actors exploited CVE-2022-41328 – an inappropriate path name restriction to a restricted directory (path traversal) vulnerability [CWE-22] in FortiOS, which allowed a privileged attacker to “read and write arbitrary files via crafted CLI commands,” Fortinet advises. In other words, hackers could have executed unauthorized code or commands.
The list of affected products includes FortiOS versions 6.0, 6.2, as well as 6.4.0 through 6.4.11, FortiOS versions 7.0.0 through 7.0.9, and FortiOS versions 7.2.0 through 7.2.3. Safe versions are 6.4.12 and later, 7.0.10 and later, and 7.2.4 and later.
A week before news of the patch broke, the company released a report saying the CVE was used to disable “multiple FortiGate firewall devices” belonging to one of its customers.
According to the company’s analysis, the attacks were “highly targeted,” with the hackers specifically targeting government networks. These threat actors operate with “sophisticated capabilities,” the researchers said, including reverse engineering operating system components of FortiGate devices.
Via: Bleeping Computer (opens in new tab)