Security News > 2023 > January > New Boldmove Linux malware used to backdoor Fortinet devices

The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether.
Yesterday, Mandiant published a report about a suspected Chinese espionage campaign leveraging the FortiOS flaw since October 2022 using a new 'BOLDMOVE' malware explicitly designed for attacks on FortiOS devices.
BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices.
The most significant difference between the Linux and Windows versions is that one of the Linux variants contains functionality that specifically targets FortiOS devices.
This version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread laterally to other devices.
The appearance of a custom-made backdoor for one of those devices proves the threat actors' deep understanding of how perimeter network devices operate and the initial access opportunity they represent.
News URL
Related news
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Over 16,000 Fortinet devices compromised with symlink backdoor (source)
- Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT (source)
- Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems (source)