Mar 18, 2023Ravie LakshmananNetwork Security / Cyber Espionage
The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.
Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.
The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886, a China-nexus threat actor.
“UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns,” Mandiant researchers said in a technical analysis.
“UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies.”
It’s worth noting that the adversary was previously tied to another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE.
The latest disclosure from Mandiant comes as Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor by leveraging a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.
The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that could lead to