Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack
The
zero-day
exploitation
of
a
now-patched
medium-severity
security
flaw
in
the
Fortinet
FortiOS
operating
system
has
been
linked
to
a
suspected
Chinese
hacking
group.
Threat
intelligence
firm
Mandiant,
which
made
the
attribution,
said
the
activity
cluster
is
part
of
a
broader
campaign
designed
to
deploy
backdoors
onto
Fortinet
and
VMware
solutions
and
maintain
persistent
access
to
victim
environments.
The
Google-owned
threat
intelligence
and
incident
response
firm
is
tracking
the
malicious
operation
under
its
uncategorized
moniker
UNC3886,
a
China-nexus
threat
actor.
“UNC3886
is
an
advanced
cyber
espionage
group
with
unique
capabilities
in
how
they
operate
on-network
as
well
as
the
tools
they
utilize
in
their
campaigns,”
Mandiant
researchers
said
in
a
technical
analysis.
“UNC3886
has
been
observed
targeting
firewall
and
virtualization
technologies
which
lack
EDR
support.
Their
ability
to
manipulate
firewall
firmware
and
exploit
a
zero-day
indicates
they
have
curated
a
deeper-level
of
understanding
of
such
technologies.”
It’s
worth
noting
that
the
adversary
was
previously
tied
to
another
intrusion
set
targeting
VMware
ESXi
and
Linux
vCenter
servers
as
part
of
a
hyperjacking
campaign
designed
to
drop
backdoors
such
as
VIRTUALPITA
and
VIRTUALPIE.
The
latest
disclosure
from
Mandiant
comes
as
Fortinet
revealed
that
government
entities
and
large
organizations
were
victimized
by
an
unidentified
threat
actor
by
leveraging
a
zero-day
bug
in
Fortinet
FortiOS
software
to
result
in
data
loss
and
OS
and
file
corruption.
The
vulnerability,
tracked
as
CVE-2022-41328
(CVSS
score:
6.5),
concerns
a
path
traversal
bug
in
FortiOS
that
could
lead
to
arbitrary
code
execution.
It
was
patched
by
Fortinet
on
March
7,
2023.
According
to
Mandiant,
the
attacks
mounted
by
UNC3886
targeted
Fortinet’s
FortiGate,
FortiManager,
and
FortiAnalyzer
appliances
to
deploy
two
different
implants
such
as
THINCRUST
and
CASTLETAP.
This,
in
turn,
was
made
possible
owing
to
the
fact
that
the
FortiManager
device
was
exposed
to
the
internet.
THINCRUST
is
a
Python
backdoor
capable
of
executing
arbitrary
commands
as
well
as
reading
and
writing
from
and
to
files
on
disk.
The
persistence
afforded
by
THINCRUST
is
subsequently
leveraged
to
deliver
FortiManager
scripts
that
weaponize
the
FortiOS
path
traversal
flaw
to
overwrite
legitimate
files
and
modify
firmware
images.
This
includes
a
newly
added
payload
called
“/bin/fgfm”
(referred
to
as
CASTLETAP)
that
beacons
out
to
an
actor-controlled
server
so
as
to
accept
incoming
instructions
that
allow
it
to
run
commands,
fetch
payloads,
and
exfiltrate
data
from
the
compromised
host.
“Once
CASTLETAP
was
deployed
to
the
FortiGate
firewalls,
the
threat
actor
connected
to
ESXi
and
vCenter
machines,”
the
researchers
explained.
“The
threat
actor
deployed
VIRTUALPITA
and
VIRTUALPIE
to
establish
persistence,
allowing
for
continued
access
to
the
hypervisors
and
the
guest
machines.”
Alternatively,
on
FortiManager
devices
that
implement
internet
access
restrictions,
the
threat
actor
is
said
to
have
pivoted
from
a
FortiGate
firewall
compromised
with
CASTLETAP
to
drop
a
reverse
shell
backdoor
named
REPTILE
(“/bin/klogd”)
on
the
network
management
system
to
regain
access.
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
Also
employed
by
UNC3886
at
this
stage
is
a
utility
dubbed
TABLEFLIP,
a
network
traffic
redirection
software
to
connect
directly
to
the
FortiManager
device
regardless
of
the
access-control
list
(ACL)
rules
put
in
place.
This
is
far
from
the
first
time
Chinese
adversarial
collectives
have
targeted
networking
equipment
to
distribute
bespoke
malware,
with
recent
attacks
taking
advantage
of
other
vulnerabilities
in
Fortinet
and
SonicWall
devices.
The
revelation
also
comes
as
threat
actors
are
developing
and
deploying
exploits
faster
than
ever
before,
with
as
many
as
28
vulnerabilities
exploited
within
seven
days
of
public
disclosure
—
a
12%
rise
over
2021
and
an
87%
rise
over
2020,
according
to
Rapid7.
This
is
also
significant,
not
least
because
China-aligned
hacking
crews
have
become
“particularly
proficient”
at
exploiting
zero-day
vulnerabilities
and
deploying
custom
malware
to
steal
user
credentials
and
maintain
long-term
access
to
target
networks.
“The
activity
[…]
is
further
evidence
that
advanced
cyber
espionage
threat
actors
are
taking
advantage
of
any
technology
available
to
persist
and
traverse
a
target
environment,
especially
those
technologies
that
do
not
support
EDR
solutions,”
Mandiant
said.
About Author
