A medium-severity security vulnerability in Fortinet FortiOS has been exploited in a zero-day attack, with a suspected Chinese hacking group behind the operation. Threat intelligence company Mandiant linked the activity to a broader campaign aiming to deploy backdoors in Fortinet and VMware solutions for persistent access to targeted environments. The firm is tracking this malicious operation as UNC3886, an advanced cyber-espionage group with Chinese connections.
Mandiant researchers observed UNC3886 targeting firewall and virtualization technologies lacking EDR support, demonstrating a deeper understanding of these technologies. The group has previously been connected to intrusions targeting VMware ESXi and Linux vCenter servers in a hyperjacking campaign that deployed backdoors like VIRTUALPITA and VIRTUALPIE.
This report comes as Fortinet discloses that government entities and large organizations fell victim to an unidentified threat actor exploiting a zero-day bug in Fortinet FortiOS software, resulting in data loss and OS and file corruption. The vulnerability, labeled CVE-2022-41328 with a CVSS score of 6.5, involves a path traversal bug in FortiOS that could enable arbitrary code execution. Fortinet patched the issue on March 7, 2023.
Mandiant found that UNC3886’s attacks targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants, THINCRUST and CASTLETAP. This was possible because the FortiManager device was exposed to the internet.
THINCRUST is a Python backdoor that can execute arbitrary commands and read and write files on disk. The threat actor uses its persistence to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw, overwriting legitimate files and modifying firmware images. This includes a new payload called “/bin/fgfm” (CASTLETAP), which communicates with an actor-controlled server to receive instructions, run commands, fetch payloads, and exfiltrate data.
After deploying CASTLETAP to FortiGate firewalls, the threat actor connected to ESXi and vCenter machines to establish persistence using VIRTUALPITA and VIRTUALPIE. In cases where FortiManager devices had internet access restrictions, the attacker pivoted from a compromised FortiGate firewall with CASTLETAP to drop a reverse shell backdoor called REPTILE (“/bin/klogd”) on the network management system.
UNC3886 also used a utility called TABLEFLIP to connect directly to the FortiManager device, bypassing access-control list (ACL) rules. This is not the first instance of Chinese hacking groups targeting networking equipment to distribute custom malware, with recent attacks exploiting vulnerabilities in Fortinet and SonicWall devices.
The speed at which threat actors develop and deploy exploits has increased, with 28 vulnerabilities exploited within seven days of public disclosure, marking a 12% rise over 2021 and an 87% rise over 2020. China-aligned hacking groups have become highly skilled at exploiting zero-day vulnerabilities and deploying custom malware to steal credentials and maintain long-term access to targeted networks. Mandiant warns that this activity is evidence of advanced cyber-espionage threat actors utilizing any available technology to persist and navigate target environments, especially those without EDR solutions.