The zero-day exploitation of a now-patched medium-severity security flaw in Fortinet FortiOS The operating system has been linked to a suspected Chinese hacking group.
Threat intelligence firm Mandiant, which made the attribution, said the activity cluster was part of a broader campaign designed to deploy backdoors in Fortinet and VMware solutions and maintain continued access to victim environments .
The Google-owned threat intelligence and incident response firm tracks malicious operations under its uncategorized moniker UNC3886a China-nexus threat actor.
“UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on the network as well as the tools they use in their campaigns,” Mandiant researchers said in a technical analysis.
“UNC3886 has been observed targeting firewall and virtualization technologies without EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates that they have curated a deeper level of understanding such technologies.”
It is worth noting that the opponent is formerly bound in another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE.
The latest disclosure from Mandiant comes as Fortinet expressed that government entities and large organizations fell victim to an unknown threat actor by exploiting a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.
The weakness, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that can lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023.
According to Mandiant, the attacks mounted by the UNC3886 targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, is made possible by the fact that the FortiManager device is exposed to the internet.
THINCRUST is a Python backdoor capable of executing arbitrary commands as well as reading and writing from and to disk files.
The persistence provided by THINCRUST is subsequently used to deliver FortiManager scripts that exploit the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.
It includes a newly added payload called “/bin/fgfm” (referred to as CASTLETAP) that issues an actor-controlled server to accept incoming instructions allowing it to run commands, get of payloads, and exfiltrate data from the compromised. host.
“When CASTLETAP is deployed on the FortiGate firewall, the threat actor is connected to the ESXi and vCenter machines,” the researchers explained. “The threat actor deployed VIRTUALPITA and VIRTUALPIE to establish persistence, allowing for continued access to hypervisors and to guest machines.”
Alternatively, on FortiManager devices enforcing internet access restrictions, the threat actor allegedly pivoted from a FortiGate firewall compromised with CASTLETAP to drop a reverse shell backdoor named REPTILE (“/bin/ klogd”) in the network management system to regain access .
Discover the Hidden Risks of Third-Party SaaS Apps
Do you know the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize risk.
The UNC3886 at this stage also uses a utility called TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list (ACL) rules placed.
This is far from the first time that Chinese adversarial collectives have targeted networking equipment to distribute custom malware, with recent attacks exploiting other vulnerabilities in Fortinet and SonicWall devices.
The revelation also comes as threat actors are developing and implementing exploits faster than ever, with as many as 28 vulnerabilities exploited within seven days of public disclosure — a 12% increase over 2021 and an 87% increase by 2020, according to Fast7.
It’s also important, not least because China-aligned hacking crews have become “particularly knowledgeable” in exploiting zero-day vulnerabilities and deploying custom malware to steal user credentials and maintain long-term access to target networks.
“The activity […] is further evidence that advanced cyber espionage threat actors are exploiting any technology available to proceed and traverse a target environment, especially those technologies that do not support EDR solutions,” said Mandiant.