Suspected Chinese spies have exploited a critical Fortinet bug, and used custom networking malware to steal credentials and maintain network access, according to Mandiant security researchers.
Fortinet fixed the path transversal vulnerability in FortiOS, tracked as CVE-2022-41328, earlier this month. So get patching, if you haven’t already.
A few days later, the vendor released a more detailed analysis. It indicated that miscreants were using the flaw in an attempt to attack large organizations, steal their data, and cause OS or file corruption: “The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
And in a much more detailed report published today, Mandiant pinned the blame on Chinese hackers – with the (then) FortiOS zero day, and “multiple” bespoke malware families.
Additionally, this same group of miscreants – Mandiant tracks the group as UNC3886 – was behind cyber espionage attacks that targeted VMware ESXi hypervisors last year, according to the Google-owned threat intel firm.
While the security researchers suspect the group is stealing credentials and sensitive data to support Beijing’s goals, no official attribution has been made.
Just a hop, skip and a jump from VMware
At the time of the VMware ESXi hypervisor compromises, Mandiant’s threat hunters spotted UNC3886 directly connect from FortiGate and FortiManager devices to a custom-built backdoor called VIRTUALPITA “on multiple occasions,” according to the research posted today.
“Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet