Security News > 2023 > January > New Boldmove Linux malware used to backdoor Fortinet devices

The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether.

Yesterday, Mandiant published a report about a suspected Chinese espionage campaign leveraging the FortiOS flaw since October 2022 using a new 'BOLDMOVE' malware explicitly designed for attacks on FortiOS devices.

BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices.

The most significant difference between the Linux and Windows versions is that one of the Linux variants contains functionality that specifically targets FortiOS devices.

This version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread laterally to other devices.

The appearance of a custom-made backdoor for one of those devices proves the threat actors' deep understanding of how perimeter network devices operate and the initial access opportunity they represent.

News URL

https://www.bleepingcomputer.com/news/security/new-boldmove-linux-malware-used-to-backdoor-fortinet-devices/