CVE-2022-42475 Detection: Zero-Day Vulnerability in FortiOS SSL-VPN Exploited in Attacks Against Government Entities and Large Organizations

CVE-2022-42475 Detection

Stay alert! Security researchers are warning the global cyber defender community of a zero-day vulnerability in FortiOS SSL-VPN, which was patched in December 2022. The security flaw tracked as CVE-2022-42475 and resulting in unauthenticated remote code execution (RCE) has been exploited in targeted attacks against government agencies and large organizations across the globe. 

Detect CVE-2022-42475: Critical Heap-Buffer Overflow Vulnerability Resulting in Unauthenticated Remote Code Execution

In view of an increasing number of attacks actively exploiting this vulnerability to target government organizations, timely detection and proactive cyber defense are critical to protecting public infrastructure from possible intrusions. To leave no chance for attackers to go undetected, SOC Prime’s Detection as Code Platform offers a batch of dedicated Sigma rules detecting exploitation attempts of the CVE-2022-42475. 

FortiOS – Heap-Based Buffer Overflow in sslvpnd Exploitation Indicators [CVE-2022-42475] (via web)

This rule has been developed by the SOC Prime Team to identify exploitation patterns of the critical heap-buffer overflow in FortiOS SSL-VPN related to targeted attacks against government institutions. The detection is compatible with 16 SIEM, EDR, and XDR solutions and aligned with the MITRE ATT&CK® framework v12 addressing the Initial Access tactics with Exploit Public-Facing Applications (T1190) as a corresponding technique.

Possible FortiOS – heap-based buffer overflow in sslvpnd exploitation indicators [CVE-2022-42475]

Above is another Sigma rule by the SOC Prime Team to identify exploitation indicators for CVE-2022-42475. The detection is accompanied by translations to 14 SIEM, EDR, and XDR formats and aligned with MITRE ATT&CK addressing Initial Access and Privilege Escalation tactics with Exploit Public-Facing Applications (T1190) and Exploitation for Privilege Escalation (T1068) as corresponding techniques. 

Over 750 Sigma rules for emerging vulnerabilities are at hand! Hit the Explore Detections button to instantly access the relevant threat detection content, corresponding CTI links, ATT&CK references, threat hunting ideas, and detection engineering guidance. 

Explore Detections

CVE-2022-42475 Analysis

According to the latest SOC Prime’s Detection as Code Innovation report, proactive vulnerability exploitation ranks as one of the top detection content priorities of 2021-2022. At the turn of 2023, threat actors don’t slow down their attempts to take advantage of security flaws. 

Fortinet researchers have recently reported that unknown adversaries exploited a zero-day FortiOS vulnerability patched last month to attack state bodies and large organizations. The identified vulnerability in FortiOS SSL-VPN (CVE-2022-42475) leveraged in these attacks is a heap-based buffer overflow bug, which enables hackers to perform remote code execution (RCE) and cripple compromised systems via specifically generated requests. 

Fortinet uncovered this vulnerability tracked as CVE-2022-42475 in mid-December 2022. Due to the reported cases of its active exploitation in the wild, the company rolled out a security advisory sharing recommendations to validate the system against the list of provided IOCs. The network security company also released relevant patches by fixing the bug in FortiOS 7.2.3 version and issued a signature for IPS so the vendor’s customers could protect their environments.

However, on January 1, 2023, Fortinet released a follow-up detailing that adversaries exploited CVE-2022-42475 to take advantage of compromised FortiOS instances to spread malware, which turned out to be a Trojanized version of the IPS Engine. The company’s researchers admitted that the exploitation attempts were performed by sophisticated adversaries aimed at launching targeted attacks against government-affiliated organizations. 

In the ongoing campaign, threat actors have leveraged advanced techniques to maintain persistence and evade detection, which contributes to the overall attack complexity. The vulnerability exploitation enables attackers to drop the malicious samples that manipulate log files and are capable of destroying the FortiOS logging processes. According to Fortinet’s research, the hackers’ final target was to spread the custom Linux implant to cripple the IPS anti-malware capabilities of the targeted devices and connect to a remote server fostering the delivery of more payloads and enabling command execution.

Highly sophisticated attacks that involve a profound understanding of the FortiOS environment, the use of generic implants and reverse engineering techniques point to the assumption that threat actors linked to this campaign possess advanced capabilities and pose a challenge to cyber defenders. To identify the malicious activity associated with advanced persistent threats, dive into SOC Prime’s detection content repository aggregating 900+ rules for APT-related tools and attacks. Get 200+ for free at https://socprime.com/ or reach all rules with On Demand at https://my.socprime.com/pricing.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts