A suspected Chinese hacking group has been linked to a series of attacks against government organizations that exploit a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.
The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall appliances, Fortinet revealed last week.
Further analysis revealed that attackers could use the malware for cyber espionage, including data exfiltration, downloading and writing files to compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.
One of the incidents was discovered when a customer’s FortiGate devices shut down with FIPS firmware integrity errors, rendering them inoperable.
Devices stopped booting to prevent network infiltration, a standard practice for FIPS-enabled systems. The firewalls were compromised by a FortiGate CVE-2022-41328 path traversal exploit, and its simultaneous shutdown led Fortinet to suspect that the attack originated from a FortiManager device.
The company said these were highly targeted attacks against government networks and large organizations, and the attackers also displayed “advanced capabilities,” including reverse engineering the operating system of FortiGate devices.
“The attack is highly targeted, with some indication of preferred government or government-related targets,” Fortinet said.
“The exploit requires a deep understanding of FortiOS and the underlying hardware. The custom implants show that the actor has advanced capabilities, including reverse engineering of various parts of FortiOS.”
Links to Chinese cyberspies
A new report from Mandiant says the attacks occurred in mid-2022 and attributes them to a China-nexus threat group the company tracks as UNC3886.
“Recent victims of Chinese spy operators include DIB, government, telecom and technology,” Mandiant CTO Charles Carmakal said.
“Given how incredibly difficult they are to find, most organizations can’t identify them on their own. It’s not uncommon for Chinese campaigns to end up as multi-year intrusions.”
While jointly investigating the incident with Fortinet, Mandiant discovered that after breaching Fortinet’s devices, UNC3886 used them as a backdoor using two new malware strains to continue accessing victims’ networks: a Thincrust backdoor based on Python and the Castletap passive backdoor that hits the ICMP port. .
The threat actors initially accessed an Internet-accessible FortiManager device before exploiting the CVE-2022-41328 zero-day flaw to write files that would allow them to move laterally through the network.
After gaining persistence on FortiManager and FortiAnalyzer appliances via the Thincrust backdoor, the group used FortiManager scripts to backdoor multiple FortiGate firewalls using Castletap.
The attacker then connected to the ESXi and vCenter machines by deploying VirtualPita and VirtualPie backdoors to maintain control over compromised hypervisors and guest machines, ensuring their malicious activities went undetected.
On devices configured to restrict access from the Internet, the attackers installed a traffic redirector (Tableflip) and a passive backdoor (Reptile) after bypassing FortiGate firewalls that previously backdoored with Castletap.
“We believe targeting these devices will continue to be the technique of choice for spy groups trying to access difficult targets,” said Ben Read, Mandiant’s head of cyber espionage analytics at Google Cloud.
“This is because they are accessible from the Internet, allowing actors to control the timing of the intrusion, and in the case of VPN devices and routers, the large number of regular incoming connections makes integration easy.”