Suspected China-linked hackers exploit Fortinet zero-day in spying campaign
A suspected state-sponsored hacking group based in China has exploited zero-day vulnerabilities and deployed custom malware to spy on defense, government, tech, and telecom organizations, according to a new report.
Cybersecurity firm Mandiant said it investigated “dozens of intrusions” in recent years where China-linked groups have used these techniques to steal user credentials and maintain long-term access to the victims’ devices.
One group — tracked by Mandiant as UNC3886 — was observed in several attacks in mid-2022 targeting network security systems, firewalls, and virtualization technologies that enable computers to run multiple operating systems and applications simultaneously.
The group used backdoors on Fortinet and VMware systems to attack victims’ devices. Mandiant’s Chief Technical Officer Charles Carmakal told The Record that researchers have identified nearly 10 victims across the defense, technology, and telecom industries in the U.S., Europe, and Asia that were impacted by the attacks.
According to a joint investigation from Mandiant and Fortinet, hackers deployed their malware across multiple Fortinet systems.
The hacking group initially accessed Fortinet’s centralized management device, FortiManager – which is accessible from the internet – before exploiting the CVE-2022-41328 zero-day vulnerability. The high-severity bug was discovered and patched by Fortinet earlier in March, and allows hackers to execute malicious code and deploy malware payloads on unpatched FortiGate firewall devices.
Researchers traced the attack to China based on victim selection and the use of techniques and malware previously employed by China-affiliated hackers. The UNC3886 group is associated with a novel malware framework, which was disclosed by Mandiant in September 2022.
This malware impacted network devices such as VMware ESXi, Linux vCenter servers, and Windows virtual machines.
This is the second Fortinet bug suspected to be exploited by China-linked hackers that the company has jointly discovered with Mandiant. In January, Mandiant warned of another attack targeting Fortinet’s firewall software, which it attributed to a Chinese group unrelated to UNC3886.
Mandiant called UNC3886 “an advanced cyber espionage group with unique capabilities.” In the recent attack, the group employed various techniques to avoid detection, according to Brad Slaybaugh, Mandiant's principal consultant.
For example, they tampered with a genuine system file to disable digital signature verification checks during system startup. They also turned off logging services and history files and selectively erased log entries linked to their activity, Slaybaugh told The Record.
Their recent activity highlights the vulnerability of internet-exposed systems such as firewalls, smart devices and VPN technologies that do not support endpoint detection and response (EDR) security software to cyberattacks, the company said.
“As EDR solutions improve malware detection efficacy on Windows systems, certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR,” Mandiant wrote in its September report.
Such incidents are harder to investigate, according to Mandiant, because many network devices don't have tools to detect changes made to the operating system while it's running. To get evidence, investigators may need to ask the manufacturer for help collecting images of the system.
While the technique used by UNC3886 "requires a deeper level of understanding" of how network devices operate, Mandiant predicted that other threat actors will try to build similar tools for future attacks.
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.