A suspected Chinese spy is exploiting a critical bug in Fortinet, using proprietary network malware to steal credentials and maintain network access, according to Mandiant security researchers.
Fortinet Repaired FortiOS Path Transversal Vulnerability Tracked as CVE-2022-41328, earlier this month. If you haven’t patched it yet, please do so.
A few days later the vendor released more detailed information analysisMalicious actors have exploited this vulnerability to attack large organizations, steal data, and corrupt operating systems and files. .”
and in more detail report Unveiled today, Mandiant used (then) FortiOS zero-day and “multiple” bespoke malware families to hold Chinese hackers accountable.
Additionally, this same rogue group – which Mandiant tracks as UNC3886 – was behind cyber espionage attacks. Target VMware ESXi hypervisor According to the Google-owned threat intelligence firm, it was last year.
Security researchers suspect the group is stealing credentials and sensitive data to support Beijing’s goals, but no official attribution has been given.
Hop, skip, jump from VMware
According to research published today, when VMware ESXi hypervisors were compromised, Mandiant threat hunters “multiple times” found UNC3886 connecting directly from FortiGate and FortiManager devices to a custom-built backdoor called VIRTUALPITA. Did.
“Mandiant suspected that FortiGate and FortiManager devices were compromised due to connections from Fortinet management IP addresses to VIRTUALPITA,” the researchers observed.
They also found that the attackers had compromised the targeted system’s security tools. Analysis of these devices uncovered another new malware family that Mandiant dubbed his CASTLETAP. This is an ICMP port knocking backdoor.
Compromise of Internet-connected security devices
There are two attack vectors used by Chinese criminals to compromise Fortinet devices.
The first, which occurred when the attackers first gained access to the Fortinet ecosystem while the FortiManager device was exposed to the internet, introduced the CASTRETAP backdoor and another new malware named THINCRUST. using.
After gaining access to internet-connected devices, criminals used THINCRUST, a Python-based backdoor disguised as legitimate API calls, to establish persistence on FortiManager and FortiAnalyzer devices. We then used a FortiManager script to deploy a CASTLETAP backdoor across multiple of her FortiGate firewalls. These scripts leverage CVE-2022-41328.
Spear exploited a path traversal vulnerability with the command “execute wireless-controller hs20-icon upload-icon”. This command is typically used to upload icon files from a server to the FortiGate firewall, where they can be used on the HotSpot 2.0 online sign-up portal (HotSpot 2.0 allows devices to switch between cellular data and public Wi-Fi). switch seamlessly). Unfortunately, as the Mandiant researchers explained, the command had two serious problems.
Additionally, in this attack path where FortiManager was exposed, Mandiant discovered SSH connections from Fortinet devices to ESXI servers. This allowed the rogue to deploy his VIRTUALPITA malware on his VMware system. In this way they obtained permanent access to the hypervisor and were able to execute commands in the guest virtual machine.
A second attack patch was used when the FortiManager device was not exposed to the internet. In these attacks, the devices used network access control lists (ACLs) to restrict external access to TCP port 541 only.
To circumvent ACLs, malicious actors used a traffic redirector (TABLEFLIP) and a reverse shell backdoor (REPTILE) on FortiManager devices to directly access the backdoor from the Internet and gain main access to the environment .
Still perceiving patterns?
Mandiant’s latest Fortinet investigation comes a week after researchers published a similar story about alleged Chinese spears. Targeting SonicWall Gateways Infect these security devices with credential-stealing malware.
Ben Read, Head of Mandiant Cyber Espionage Analysis at Google Cloud, said: register In fact, this is the fifth time Mandiant has published a blog about China using network devices and other Internet-exposed systems in the past two years.
“We believe targeting these devices will continue to be a go-to technique for spy groups trying to gain access to hard targets,” Reed said.
“This is because it can be accessed from the Internet, so attackers can control the timing of their intrusion. For VPN devices and routers, they have a high volume of regular inbound connections, which makes it easy to blend in.”
“Organizations, especially those in industries that have historically been targeted by Chinese spies, should take steps to harden these devices and monitor suspicious activity,” he warned.®
