Chinese cybercriminals have breached US government departments and telecoms companies, new research suggest. Google’s Mandiant cybersecurity division has released a report into the hackers’ techniques and procedures, which reveals it uses a vulnerability in Fortinet software as part of its current campaign. The gang is highly sophisticated and can reportedly remain within a system undetected for years.
The criminal gang, dubbed UNC3886 by Mandiant, has struck twice in the past six months, having previously used a VMware vulnerability to target the same victims in September.
Chinese cyberespionage gang’s tactics uncovered by Google Mandiant
Security teams at Mandiant and Fortinet, which makes a range of tools for enterprise networks, have released warnings about UNC3886, calling it an advanced cyberespionage group with unique capabilities in how it operates. It has been observed to targeting firewalls, manipulating firmware and utilising zero day exploits, as well as using vulnerabilities in virtualisation technology.
“They have curated a deeper-level of understanding of such technologies,” Mandiant says. “This activity is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment,” the company said.
The campaign discovered by Mandiant was exploiting a now patched vulnerability in the Fortinet system, something that gave them group access to US government online infrastructure. The “suspected Chinese nexus actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments,” Mandiant says.
How did the gang exploit Fortinet software?
Researchers say UNC3886 used a local directory traversal zero-day (CVE-2022-41328) exploit to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access.
Hackers then maintained persistent access with super administrator privileges within FortiGate Firewalls through ICMP port knocking. Next, they circumvented firewall rules active on FortiManager devices with a passive traffic redirection utility, enabling continued connections to persistent backdoors with super administrator privileges.
Once these backdoors were enabled, the gang established persistence on FortiManager and FortiAnalyzer devices through a custom API endpoint created within the device, subsequently disabling the OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.
Another attack was conducted by the same gang last year. A previous Mandiant report, released in September, explained that “certain state-sponsored threat actors have shifted to developing and deploying malware on systems that do not generally support EDR such as network appliances, SAN arrays, and VMware ESXi servers.”
The novel malware ecosystem impacted VMware ESXi, Linux vCenter servers, and Windows virtual machines, enabling a threat actor to take actions like maintaining persistent administrative access to the hypervisor. Then sending commands to the hypervisor that will be routed to the guest VM for execution.
The gang would then transfer files between the ESXi hypervisor and guest machines running beneath it, tamper with logging services on the hypervisor, to finally execute arbitrary commands from one guest VM to another guest VM running on the same hypervisor.
Chinese cybercriminals could do damage
The technique used by Chinese cybercriminals UNC3886 requires a deeper level of understanding, notes Mandiant, recommending organisations using ESXi and VMWare infrastructure suite follow guidelines to harden their systems against such an attack.
Such a high level of access by foreign governments could have worrying consequences, Bogdan Botezatu, director of threat research and reporting at Bitdefender. “Infiltration in a government agency network or endpoint has significant consequences for national security,” Botezatu says. “Depending on the target, the threat actor might be able to harvest confidential or classified documents, intellectual property such as blueprints, plans, and military or strategic intelligence.”
The most common intrusion tactics are exploitation of unpatched vulnerabilities in infrastructure, he continued. “Spear phishing or watering hole attacks are used a lot to compromise a victim or a group of victims within the target organization,” Botezatu adds. “While mitigations exist, state-sponsored threat actors are extremely motivated and have research and development budgets to either identify or buy zero-day vulnerabilities in the targeted software or hardware.”