Mandiant believes that a group with links to China, identified as UNC3886, is exploiting this vulnerability.
According to the cybersecurity researchers at Google-owned Mandiant, Chinese espionage actors are suspected of exploiting a critical vulnerability in Fortinet using custom networking malware to steal credentials and retain access to the network. The attacks were observed in mid-2022.
Critical Vulnerability in FortiOS Aiding Chinese Spies
Mandiant researchers explained that the bug is a local directory traversal zero-day vulnerability present in FortiOS, tracked as CVE-2022-41328, and was patched by Fortinet earlier in March 2023.
Researchers believe a threat actor with links to China accessed victim environments and deployed backdoors into Fortinet and VMware software to maintain persistence, achieved through the zero-day vulnerability, which the attacker used to deploy multiple custom malware strains on the OS.
Which Products Are Vulnerable?
According to Mandiant’s investigation, conducted in collaboration with Fortinet, multiple Fortinet products were impacted by this vulnerability, including FortiManager, FortiGate, and FortiAnalyzer. The attackers exploit the flaw to target large organizations, steal sensitive data, and implement file or OS corruption.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS,” Mandiant’s report read.
How is it Being Exploited?
The attacker used the CVE-2022-41328 exploit to write files to FortiGate disks, which is outside the normal limits allowed with shell access. After gaining Super Administrator privileges within the firewall via ICMP port knocking, the invader maintained persistent access.
They also circumvented active firewall rules on FortiManager devices with a passive traffic redirection utility. This allowed the attacker to establish a continuous connection to persistent backdoors with Super Admin privileges.
Using a custom API endpoint created on the targeted device, the attacker established persistence on FortiAnalyzer and FortiManager devices. They can also disable OpenSSL 1.1.0 digital signature verification of system files by corrupting boot files.
Who is the Attacker?
Mandiant believes that a group with links to China, identified as UNC3886, is exploiting this vulnerability. This group is linked with the novel VMware ESXi hypervisor malware framework discovered in September 2022. At that time, Mandiant researchers noticed that UNC3886 was directly connected with FortiManager and FortiGate devices having VIRTUALPITA backdoors.
According to Mandiant CTO Charles Carmakal, Chinese threat actors have recently targeted DIB, telecoms, government, and technology. Since detecting if a system has been invaded is hard, the intrusions can carry on for years.
That’s why it is necessary for organizations to improve the security of these devices and keep checking for suspicious activity, researchers concluded.