Security News > 2023 > January > New Boldmove Linux malware used to backdoor Fortinet devices
The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether.
Yesterday, Mandiant published a report about a suspected Chinese espionage campaign leveraging the FortiOS flaw since October 2022 using a new 'BOLDMOVE' malware explicitly designed for attacks on FortiOS devices.
BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices.
The most significant difference between the Linux and Windows versions is that one of the Linux variants contains functionality that specifically targets FortiOS devices.
This version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread laterally to other devices.
The appearance of a custom-made backdoor for one of those devices proves the threat actors' deep understanding of how perimeter network devices operate and the initial access opportunity they represent.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- New Auto-Color Linux backdoor targets North American govts, universities (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)