View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 20, 2023updated 24 Mar 2023 1:39pm

Chinese cybercriminals exploiting Fortinet vulnerability – Google Mandiant

The gang uses a wide range of techniques to access networks and has operated under the radar for months, research says.

By Claudia Glover

Chinese cybercriminals have breached US government departments and telecoms companies, new research suggest. Google’s Mandiant cybersecurity division has released a report into the hackers’ techniques and procedures, which reveals it uses a vulnerability in Fortinet software as part of its current campaign. The gang is highly sophisticated and can reportedly remain within a system undetected for years.

Mandiant has uncovered a Chinese hacking gang which has penetrated US government networks (photo by Rafapress/Shutterstock)

The criminal gang, dubbed UNC3886 by Mandiant, has struck twice in the past six months, having previously used a VMware vulnerability to target the same victims in September. 

Chinese cyberespionage gang’s tactics uncovered by Google Mandiant

Security teams at Mandiant and Fortinet, which makes a range of tools for enterprise networks, have released warnings about UNC3886, calling it an advanced cyberespionage group with unique capabilities in how it operates. It has been observed to targeting firewalls, manipulating firmware and utilising zero day exploits, as well as using vulnerabilities in virtualisation technology.

“They have curated a deeper-level of understanding of such technologies,” Mandiant says. “This activity is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment,” the company said.

The campaign discovered by Mandiant was exploiting a now patched vulnerability in the Fortinet system, something that gave them group access to US government online infrastructure. The “suspected Chinese nexus actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments,” Mandiant says.

How did the gang exploit Fortinet software?

Researchers say UNC3886 used a local directory traversal zero-day (CVE-2022-41328) exploit to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access.

Hackers then maintained persistent access with super administrator privileges within FortiGate Firewalls through ICMP port knocking. Next, they circumvented firewall rules active on FortiManager devices with a passive traffic redirection utility, enabling continued connections to persistent backdoors with super administrator privileges.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Once these backdoors were enabled, the gang established persistence on FortiManager and FortiAnalyzer devices through a custom API endpoint created within the device, subsequently disabling the OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files. 

Another attack was conducted by the same gang last year. A previous Mandiant report, released in September, explained that “certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.”

The novel malware ecosystem impacted VMware ESXi, Linux vCenter servers, and Windows virtual machines, enabling a threat actor to take actions like maintaining persistent administrative access to the hypervisor. Then sending commands to the hypervisor that will be routed to the guest VM for execution.

The gang would then transfer files between the ESXi hypervisor and guest machines running beneath it, tamper with logging services on the hypervisor, to finally execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.

Chinese cybercriminals could do damage

The technique used by Chinese cybercriminals UNC3886 requires a deeper level of understanding, notes Mandiant, recommending organisations using ESXi and VMWare infrastructure suite follow guidelines to harden their systems against such an attack.

Such a high level of access by foreign governments could have worrying consequences, Bogdan Botezatu, director of threat research and reporting at Bitdefender. “Infiltration in a government agency network or endpoint has significant consequences for national security,” Botezatu says. “Depending on the target, the threat actor might be able to harvest confidential or classified documents, intellectual property such as blueprints, plans, and military or strategic intelligence.”

The most common intrusion tactics are exploitation of unpatched vulnerabilities in infrastructure, he continued. “Spear phishing or watering hole attacks are used a lot to compromise a victim or a group of victims within the target organization,” Botezatu adds. “While mitigations exist, state-sponsored threat actors are extremely motivated and have research and development budgets to either identify or buy zero-day vulnerabilities in the targeted software or hardware.” 

Read more: Chipmixer shut down after laundering $3bn in cryptocurrency

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.