Fortinet Vulnerabilities Targeted as APT41 Deploys KEYPLUG

Threat Group: APT41 (RedGolf, BrazenBamboo, Grayfly, Wicked Panda)
Threat Type: APT, Malware, Backdoor
Exploited Vulnerabilities: CVE-2023-48788 (FortiClient EMS), CVE-2022-40684 (FortiOS/FortiProxy/FortiSwitchManager)
Malware Used: KEYPLUG (Windows and Linux variants), DEEPDATA (distinct APT41 toolset)
Threat Score: 🔥 Critical (8.8/10) – Due to threat actor sophistication, vulnerability severity, and cross-platform malware capabilities.
Last Threat Observation: April 20 2024

Overview

This advisory offers a comprehensive analysis of the relationship between APT41, Fortinet vulnerabilities CVE-2023-48788 and CVE-2022-40684, and the deployment of the KEYPLUG backdoor. While APT41 is confirmed to use KEYPLUG and exploit Fortinet products, no evidence currently verifies the deployment of KEYPLUG via either Fortinet vulnerability. Instead, these are distinct events involving the same actor but separate campaigns.

APT41, operating with state backing from China, has leveraged vulnerabilities like Log4Shell (CVE-2021-44228) to deploy KEYPLUG across Linux and Windows targets. Fortinet vulnerabilities have been exploited by various actors, with CVE-2022-40684 confirmed as used by APT41 and CVE-2023-48788 actively exploited to deliver RMM tools by others.

This report separates myth from fact, providing detailed technical breakdowns, validated timelines, IoCs, and mitigation guidance.

Key Findings

• APT41 is a dual-purpose espionage and financially motivated threat actor active since at least 2012, with extensive toolsets and a broad global targeting scope.
• CVE-2023-48788 is a critical SQLi in FortiClient EMS allowing unauthenticated RCE via xp_cmdshell.
• CVE-2022-40684 is an authentication bypass on FortiOS systems enabling remote admin control.
• KEYPLUG has been deployed by APT41 following Log4j exploitation but not yet observed following Fortinet CVEs.
• No direct campaign confirming KEYPLUG deployment via the Fortinet vulnerabilities could be validated.
• IoCs initially attributed to KEYPLUG in some sources were actually linked to DEEPDATA, a separate APT41 malware platform.

Threat Actor: APT41

APT41, also referred to as Double Dragon, is noted for simultaneously conducting state-sponsored espionage and financially driven cybercrime. The group is known for:

• Exploiting zero-days and vulnerabilities in network edge devices.
• Using custom malware such as KEYPLUG, DEEPDATA, PlugX, DUSTPAN, and Cobalt Strike.
• Maintaining long dwell times and persistence through rootkits and credential theft.
• Conducting supply chain attacks, phishing, and use of LOLBins (Living off the Land Binaries).

Their malware arsenal and targeting span multiple industries, including governments, healthcare, education, media, manufacturing, and logistics across every continent.

Exploited Vulnerabilities

CVE-2023-48788 – FortiClient EMS SQL Injection

• CVSS: 9.8 Critical
• Affected Versions: FortiClient EMS 7.2.0–7.2.2 and 7.0.1–7.0.10
• Enables SQL injection and RCE via xp_cmdshell
• Exploited since March 2024
• Observed payloads: Atera, ConnectWise Control, PowerShell scripts, Metasploit – no KEYPLUG linkage

CVE-2022-40684 – FortiOS Authentication Bypass

• CVSS: 9.8 Critical
• Affected Versions: FortiOS 7.2.0–7.2.1, FortiProxy, FortiSwitchManager
• Enables admin access via modified headers (Forwarded & User-Agent)
• Actively exploited since October 2022
• Confirmed use by APT41, Hafnium, and OilRig
• Post-exploitation activities: SSH key injection, new user creation, configuration theft

Malware Used: KEYPLUG

• Modular backdoor attributed to APT41
• Supports Linux and Windows payloads
• First observed deployed via Log4j (CVE-2021-44228) in 2021–2022
• Capabilities include command execution, persistence, data exfiltration
• C2 domains include: microsoftfile[.]com, 103.224.80[.]44
• Not confirmed in Fortinet-related campaigns

Distinct from:

• DEEPDATA, which has been used in conjunction with a different, unpatched FortiClient vulnerability (mid-2024).

Campaign Analysis

The assertion of a direct attack chain (APT41 → Fortinet CVEs → KEYPLUG) is not substantiated. The following timelines apply:

• 2021–2022: APT41 deploys KEYPLUG after exploiting Log4j
• October 2022: CVE-2022-40684 exploited in the wild; APT41 implicated
• March 2024: CVE-2023-48788 exploitation begins; used to deploy RMM tools

No verified reports confirm the use of KEYPLUG via these Fortinet vulnerabilities. The campaign appears to be a conflation of overlapping activity by the same actor.

Known Indicators of Compromise (IoCs)

CVE

• CVE-2024-23108
• CVE-2024-23109

FileHash-MD5

• 71842588ace7442bee095dab2782f253
• 90a7fa13f9fad5626d166ef3c0e14c0d

FileHash-SHA1

• 1567b74dfcdf7c4c2454f2b84ecee915d9bb3f11
• 6b325f1cd5626d15c10b45793ffe88edf4ca07a9

FileHash-SHA256

• 09b220a315ea0aebae2de835a3240d3690c962a3c801dd1c1cf6e6e2c84ede95
• 2386baf4bf3a57ae7bca44c952855a98edf569da7b62bb0c8cbe414f1800d2b6
• 468b1799fbda3097b345a59bc1fec1cbc2a015efa473b043a69765a987ad54ed
• 4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf
• 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
• 7146774db3c77e27b7eb48745aef56b50e0e7d87280fea03fa6890646af50d50
• 759246465014acaf3e75a575d6fe36720cfdbfe2eeac1893fe6d7a0474815552
• 827b5d8ed210a85bf06214e500a955f5ad72bd0afd90127de727eb7d5d70187e
• 98261d1f92ae8f7a479bc5fc4d0a8d6a76c0d534e63e9edbc2d6257a9ba84b9d
• c1da6449513844277acc969aae853a502f177e92f98d37544f94a8987e6e2308
• c8d2b2ba5b6585584200ca46564b47db8048d748aefbdfe537bceaf27fb93ad7
• f21a7180405c52565fdc7a81b2fb5a494a3d936a25d1b30b9bd4b69a5e1de9a3

IPv4

• 154[.]31[.]217[.]200

Domain

• combinechina[.]com

Mitigation and Prevention

Vendor Guidance:

• CVE-2023-48788: Patch EMS to 7.2.3 or 7.0.11+
• CVE-2022-40684: Patch FortiOS, FortiProxy, FortiSwitchManager to recommended versions
• Disable HTTP/S admin interface if patching is delayed

General Best Practices:

• Enforce MFA across all admin access
• Harden perimeter devices with ACLs and disable unused services
• Use EDR solutions to detect post-exploitation activity
• Monitor logs for abnormal processes and authentication attempts
• Conduct regular threat hunting and system baselining
• Train users on phishing and reporting abnormal behavior

Risk Assessment

• Overall Threat Level: High
• Exploited vulnerabilities affect widely deployed systems
• APT41 remains active, resourced, and adaptable
• RCE and Admin Bypass flaws give attackers full control
• Campaigns can lead to espionage, ransomware, and data exfiltration

Conclusion

APT41’s continued exploitation of edge infrastructure vulnerabilities, including in Fortinet products, demands immediate remediation. Although a direct chain from Fortinet flaws to KEYPLUG deployment is not validated, the components involved each represent serious threats. Security teams should monitor for overlapping IoCs, stay informed on APT41’s evolving toolsets, and reinforce layered defences.

Sources:

• Darktrace – How AI Caught APT41 Exploiting Vulnerabilities
• Tenable – CVE-2023-48788
• Horizon3.ai – Fortinet FortiClient EMS SQL Injection
• FortiGuard – APT41 Threat Actor
• Hunt.io - KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company
• AlienVault - Indicators of Compromise