New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


New Boldmove Malware Used to Backdoor Fortinet Devices

A new custom Windows and Linux malware dubbed “BOLDMOVE” was used to exploit a recently disclosed vulnerability in FortiOS SSL-VPN. The vulnerability was fixed in November and then disclosed by Fortinet in December. The vulnerability allows for remote unauthenticated attackers to crash remote devices as well as execute remote code. Mandiant reported that this vulnerability was exploited by a threat campaign involving BOLDMOVE that has been ongoing since October 2022 that is specifically crafted to target FortiOS devices. This malware is linked to a suspected Chinese ATP and is a full-featured backdoor with the following core capabilities, among numerous varying capabilities:

  • System surveying
  • Receiving commands from C2 Server
  • Remote shell
  • Traffic relaying

While the Windows and Linux versions are very similar, Mandiant believes the Windows version was compiled in 2021. Additionally, only the Linux variant specifically targets FortiOS devices. For example, some additional capabilities that the Linux version has are:

  • Modification of Fortinet logs
  • Disablement of logging daemons
  • Send requests to internal Fortinet services

Analyst Notes

BOLDMOVE demonstrates the value of two key things – patching and a defense in depth strategy. As this malware spreads primarily through FortiOS devices, which contain minimal logging capabilities, it can go undetected for large periods of time. Patching, however, would mitigate the threat as the systems would not be vulnerable in the first place. With up to date patching, this malware cannot spread unchecked throughout the environment, making it the best defense against this malware. However, a defense in depth strategy is also important for dealing against threats such as this. As minimal detection capabilities are present on the Fortinet devices, it is important to have detection rules to catch malware such as this at a different portion of the attack chain. A possible detection for this would be to detect the disablement of logging daemons.