Safety researchers from Mandiant attributed the operation of the correctly vulnerability of the zero operating system in the Fortinet Fortios of the Chinese hacker hacker. Group.
Mandiant said that activity is part of a wider campaign aimed at deploying backdors in Fortinet and VMware solutions and maintaining constant access to the victims.
The company’s specialists call the UnC3886 group, connecting it with China. According to Mandiant, the Unc3886 attacks are aimed at the Fortigate, Fortimanager and Fortianalyzer solutions for the deployment of two Thincrust and Castletap implants. Corproduction was obtained due to the fact that the Fortimanager device was connected to the Internet.
A chain of infection unc3886
Thincrust is a backdor written on Python and capable of performing arbitrary commands, as well as read and write files on the disk. Backdor establishes constancy, which is then used to deliver Fortimanager scripts. Scenarios, in turn, use the vulnerability of the Fortios track to rewrite legitimate files and changes the images of the built -in software.
At this moment, the payload of Castletap is delivered, which sends the lighthouse to the attacker’s server to create a channel for launching commands, extracting payload and exploitation of data from a compromised system.
After Castletap was deployed on Fortigate firewalls, hackers connected to the computers of ESXI and Vcenter, and then turned their VirtualPita and VirtualPie backdors to establish constant access to hypervisers and guest machines.
On Fortimanager devices that limit the Internet access, cybercriminals dropped a Backdor with a reverse engineering function called REPTILE into a local network control system (NMS) to restore access.
At this stage, the UnC3886 also uses the TableFlip utility to redirect network traffic to directly connect to the Fortimanager device, regardless of the established rules for access control (ACL).
On March 7, Fortinet released updates for the security system to eliminate the critical vulnerability under the identifier CVE-2022-41328. It allowed the attackers remotely execute an unauthorized code in the target system.
The investigation of the increased number of attacks showed that the attackers modified the image of the firmware for starting the payload directly during systemic initialization. Malicious software could also be used to steal data, uploading and recording files, or opening remote shells.