Mandiant, the threat intelligence firm, has linked the zero-day exploitation of a medium-severity security flaw in the Fortinet FortiOS operating system to a suspected Chinese hacking group.
The attack is part of a broader campaign to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. Mandiant is tracking the malicious operation under the moniker UNC3886, a China-nexus threat actor.
According to Mandiant, UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network and the tools they utilize in its campaigns. They have curated a deeper understanding of technologies such as firewalls and virtualization, which lack EDR support.
Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor that leveraged a zero-day bug in Fortinet FortiOS software to result in data loss, OS, and file corruption. The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that could lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023.
Mandiant discovered that the attacks mounted by UNC3886 targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP.
This was made possible because the FortiManager device was exposed to the internet. THINCRUST is a Python backdoor capable of executing arbitrary commands and reading and writing from and to files on disk.
The persistence afforded by THINCRUST is leveraged to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.
This includes a newly added payload called “/bin/fgfm” (referred to as CASTLETAP) that beacons out to an actor-controlled server, allowing it to run commands, fetch payloads, and exfiltrate data from the compromised host.
UNC3886 is also using a utility dubbed TABLEFLIP, a network traffic redirection software, to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place.
This is not the first time Chinese adversarial collectives have targeted networking equipment to distribute bespoke malware. The revelation comes as threat actors are developing and deploying exploits faster than ever before, with as many as 28 vulnerabilities exploited within seven days of public disclosure, according to Rapid7.