Official forum for Utopia Community
You are not logged in.
A zero-day exploit linked to a now-patched moderate security vulnerability in Fortinet FortiOS is linked to a suspected Chinese hacker group.
Threat intelligence firm Mandiant, which made the attribution, said the set of actions was part of a broader campaign to backdoor Fortinet and VMware solutions and maintain constant access to victims' environments. The Google-owned threat intelligence and incident response company tracks malicious activity with its unclassified designation UNC3886, a threat actor with China.
"UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate within their networks and the tools they use in their campaigns," Mandiant researchers said in a technical analysis. "UNC3886 has been observed targeting firewalls and virtualization technologies that lack EDR support. Their ability to manipulate firewall firmware and exploit zero-day vulnerabilities indicates that they have deep knowledge of such technologies."
Specifically, this adversary was previously associated with another hacking kit that targeted VMware ESXi and Linux vCenter servers as part of a hyperhashing campaign to eliminate backdoors such as VIRTUALPITA and VIRTUALPIE. Mandiant's latest disclosure came as Fortinet revealed that public bodies and large organizations fell victim to unidentified threat actors who exploited a zero-day flaw in Fortinet's FortiOS software to cause data loss and damage to the operating system and files.
The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), involves a FortiOS path traversal bug that could lead to arbitrary code execution. This was fixed by Fortinet on March 7, 2023.
According to Mandiant, the UNC3886 attack targeted Fortinet's FortiGate, FortiManager and FortiAnalyzer devices to deploy two different implants such as THINCRUST and CASTLETAP. In turn, this is possible due to the fact that the FortiManager unit is exposed to the Internet.
THINCRUST is a Python backdoor capable of executing arbitrary commands and reading and writing files to disk. The persistence provided by THINCRUST is then used to feed FortiManager scripts that exploit FortiOS path traversal vulnerabilities to overwrite legitimate files and modify firmware images.
This includes a newly added payload called "/bin/fgfm" (known as CASTLETAP) that signals the actor-controlled server to assume that it can execute commands, download payloads, and the incoming instruction moderator to would exfiltrate data on infected servers.
Offline