UNC3886 Exploits Fortinet, VMware, and Use Covert Measures for Prolonged Surveillance

AndyC 20 June 2024

Jun 19, 2024NewsroomZero-Day Vulnerabilities / Online Espionage

The cyber espionage group associated with the exploitation of vulnerabilities in Fortinet, Ivanti, and VMware products is utilizing various tactics to maintain access to compromised

UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying

Jun 19, 2024NewsroomZero-Day Vulnerabilities / Online Espionage

UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying

The cyber espionage group associated with the exploitation of vulnerabilities in Fortinet, Ivanti, and VMware products is utilizing various tactics to maintain access to compromised systems.

“The methods used by this group include targeting network hardware, virtualization platforms, and virtual machines, ensuring multiple entry points are available even if one is discovered and neutralized,” detailed a new report by experts at Mandiant.

The specific threat actor in focus is UNC3886, characterized by the threat intelligence team at Google as “sophisticated, careful, and difficult to trace.”

The malicious activities conducted by this group employ undisclosed vulnerabilities like CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to execute various malicious operations, including deploying unauthorized access points and harvesting authentication information for deeper intrusion.

Cybersecurity

The group was also observed taking advantage of a vulnerability indexed as CVE-2022-42475, another security lapse impacting Fortinet FortiGate, soon after its public acknowledgment by the security provider.

The infiltration campaigns mainly targeted organizations in North America, Southeast Asia, and Oceania, with additional victims located in Europe, Africa, and various other parts of Asia. The victims belonged to sectors such as government, telecommunications, technology, aerospace, defense, and energy.

A standout strategy employed by UNC3886 involves the development of avoidance techniques to bypass security solutions, allowing prolonged undetected surveillance on government and corporate networks.

This involves the utilization of open-source rootkits like Reptile and Medusa on guest virtual machines (VMs), the latter being propagated using an installation mechanism labeled SEAELF.

“Unlike the REPTILE rootkit, which offers interactive access with rootkit functionalities, MEDUSA has the capabilities to log user credentials from successful authentications, local or remote, as well as executing commands,” Mandiant highlighted. “These functionalities aid UNC3886 in moving laterally using valid credentials.”

Additionally, the attackers planted two covert paths identified as MOPSLED and RIFLESPINE that exploit reputable services like GitHub and Google Drive as conduits for command-and-control (C2) operations.

Chinese Cyber Espionage

MOPSLED, an advanced form of the Crosswalk malware, is a modular implant operated via shellcode and communicates over HTTP to download plugins from a GitHub C2 server, whereas RIFLESPINE is a versatile tool that uses Google Drive for file transfers and command executions.

Mandiant also identified UNC3886 using compromised SSH clients to steal credentials following the exploitation of CVE-2023-20867 and employing Medusa to create custom SSH servers for the same purpose.

“The initial attempt by the threat actor to expand their control over network assets by targeting the TACACS server involved the use of LOOKOVER,” highlighted the report. “LOOKOVER is a C-written sniffer that decodes TACACS+ authentication packets, decrypting them and saving the content to a specified file path.”

Cybersecurity

Some of the malware families observed during assaults on VMware environments include –

  • A malicious version of a legitimate TACACS daemon featuring credential interception capabilities
  • VIRTUALSHINE, a backdoor based on VMware VMCI sockets enabling shell access
  • VIRTUALPIE, a Python-infused backdoor supporting file exchange, customized command execution, and reverse shell functions
  • VIRTUALSPHERE, a control module tied to a VMCI-based backdoor

Virtual machines have increasingly attracted threat actors over the years due to their widespread use in cloud platforms.

“A compromised VM not only reveals the data within the instance but also the permissions allocated to it,” explained experts at Palo Alto Networks Unit 42 stated. “Given that compute workloads like VMs are typically transient and unchangeable, the risk presented by a compromised identity arguably outweighs that of compromised data within a VM.”

It is recommended for organizations to abide by the security directives outlined in the Fortinet and VMware advisories to fortify defenses against potential threats.

Found this article fascinating? Follow us on Twitter and LinkedIn for more exclusive content updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

The Case for Dynamic AI-SaaS Security as Copilots Scale

The Case for Dynamic AI-SaaS Security as Copilots Scale

AndyC 19 December 2025
Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App

AndyC 19 December 2025
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation

AndyC 18 December 2025
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances

AndyC 18 December 2025
SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

SonicWall Fixes Actively Exploited CVE-2025-40602 in SMA 100 Appliances

AndyC 18 December 2025
Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

Kimwolf Botnet Hijacks 1.8 Million Android TVs, Launches Large-Scale DDoS Attacks

AndyC 18 December 2025

You may have missed

How To Spot Health Insurance Scams This Open Enrollment Season

AndyC 19 December 2025
U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds Cisco, SonicWall, and ASUS flaws to its Known Exploited Vulnerabilities catalog

AndyC 19 December 2025
GhostPairing campaign abuses WhatsApp device linking to hijack accounts

GhostPairing campaign abuses WhatsApp device linking to hijack accounts

AndyC 19 December 2025
2025 Federal Retrospective: The Year of Resilient Innovation

2025 Federal Retrospective: The Year of Resilient Innovation

AndyC 19 December 2025
The Biggest Cyber Stories of the Year: What 2025 Taught Us

The Biggest Cyber Stories of the Year: What 2025 Taught Us

AndyC 19 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.