A zero-day exploit of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.
Threat intelligence firm Mandiant, which reported the attribution, said the cluster of activities was part of a broader campaign designed to deploy backdoors on Fortinet and VMware solutions and maintain constant access to victims’ environments.
A Google-owned threat intelligence and incident response company is tracking malicious activity under its unclassified name UNC3886China-nexus threat actor.
“UNC3886 is an advanced cyberespionage group with unique capabilities in how they operate on the network, as well as the tools they use in their campaigns,” Mandiant researchers said in a technical analysis.
UNC3886 has been observed to target firewall and virtualization technologies that lack EDR support. Their ability to exploit firewall firmware and use zero-day shows that they have reached a deeper level of understanding of such technologies.
It’s worth noting that the adversary was previously linked to another intrusion kit that targeted VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to release backdoors such as VIRTUALPITA and VIRTUALPIE.
Mandiant’s latest disclosure comes as Fortinet discovered that government agencies and large organizations were victimized by an unknown threat actor exploiting a zero-day flaw in the Fortinet FortiOS software, resulting in the loss of data, OS and file corruption.
The vulnerability, reported as CVE-2022-41328 (CVSS score 6.5), refers to a path traversal error in FortiOS that could lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023.
According to Mandiant, the attacks carried out by UNC3886 targeted Fortinet’s FortiGate, FortiManager and FortiAnalyzer devices to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, is made possible by the fact that the FortiManager device is exposed to the Internet.
THINCRUST is a Python backdoor that can execute arbitrary commands and read and write from and to files on disk.
The persistence provided by THINCRUST is further used to provide FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.
This includes a newly added “/bin/fgfm” (called CASTLETAP) that sends beacons to a server controlled by the actor to accept incoming commands, allowing it to run commands, retrieve payloads, and export data from compromises. host
“When CASTLETAP was deployed on FortiGate firewalls, the threat actor connected to ESXi and vCenter machines,” the researchers explained. “The threat actor deployed VIRTUALPITA and VIRTUALPIE to assert persistence, allowing continued access to hypervisors and guest machines.”
Alternatively, on FortiManager devices that enforce Internet access restrictions, the threat actor is said to have bypassed the FortiGate firewall compromised with CASTLETAP to release the REPTILE (“/bin/klogd”) backdoor into the network management system. to restore access. .
Discover the hidden dangers of third-party SaaS applications
Are you aware of the risks associated with third-party applications accessing your company’s SaaS applications? Join our webinar to learn about the types of permissions granted and how to minimize your risk.
SAVE YOUR SEATS!
The UNC3886 also uses a utility called TABLEFLIP at this stage, which is a program to redirect network traffic to connect directly to the FortiManager device regardless of access control list (ACL) rules.
This is far from the first time Chinese adversary groups have targeted network equipment to spread specific malware, with recent attacks taking advantage of other vulnerabilities in Fortinet and SonicWall appliances.
The disclosure also comes as threat actors develop and deploy exploits faster than ever before, with 28 vulnerabilities exploited within seven days of public disclosure, a 12% increase over 2021 and an 87% increase over 2020 , according to Rapid7.
This is also significant, especially as hacking groups aligned with China have become “particularly adept” at exploiting zero-day vulnerabilities and installing specific malware to steal user credentials and maintain long-term access to targeted networks.
“Efficiency […] This is further evidence that advanced cyber espionage threat actors are leveraging any available technology to secure and breach a target environment, especially technologies that do not support EDR solutions,” said Mandiant.