Chinese Hacking Group Linked to Zero-Day Exploitation of Fortinet FortiOS Security Flaw

Threat intelligence firm Mandiant has attributed the zero-day exploitation of a medium-severity security flaw in the Fortinet FortiOS operating system to a suspected Chinese hacking group.

chinese hacking group

The group, identified as UNC3886, is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. This has been tracked by Mandiant, which is owned by Google, under its UNC3886 moniker. Mandiant researchers have noted that this group has unique capabilities in how they operate on-network and the tools they utilize in their campaigns.

- Advertisement -

Attribution by Threat Intelligence Firm Mandiant

Mandiant has described UNC3886 as an advanced cyber espionage group with deep knowledge of firewall and virtualization technologies that lack EDR support. Their ability to manipulate firewall firmware and exploit zero-day vulnerabilities indicates a deeper level of understanding of such technologies.

UNC3886: An Advanced Cyber Espionage Group

Mandiant researchers have noted that UNC3886 has been observed targeting firewall and virtualization technologies that lack EDR support. Their ability to manipulate firewall firmware and exploit zero-day vulnerabilities indicates a deeper level of understanding of such technologies.

Exploitation of Fortinet and VMware Solutions

Mandiant researchers have noted that the group has been targeting firewall and virtualization technologies that lack EDR support. The attacks mounted by UNC3886 targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, was made possible because the FortiManager device was exposed to the internet.

Malicious Operation Tracked by Mandiant

Mandiant has been tracking the malicious operation under its UNC3886 moniker. The group has been observed targeting firewall and virtualization technologies that lack EDR support, and their ability to manipulate firewall firmware and exploit zero-day vulnerabilities indicates a deeper level of understanding of such technologies.

Vulnerability Patched by Fortinet

Fortinet has patched the vulnerability tracked as CVE-2022-41328 (CVSS score: 6.5) on March 7, 2023. The vulnerability concerns a path traversal bug in FortiOS that could lead to arbitrary code execution. It’s worth noting that government entities and large organizations were victimized by an unidentified threat actor by leveraging this zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.

Exit mobile version