Fortinet zero-day attacks linked to suspected Chinese hackers

A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware.

The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices, as Fortinet disclosed last week.

Further analysis revealed that the attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.

One of the incidents was discovered when a customer's FortiGate devices shut down with FIPS firmware integrity-linked errors, rendering them inoperable.

The devices stopped booting to prevent network infiltration, a standard practice for FIPS-enabled systems. The firewalls were compromised using a CVE-2022-41328 FortiGate path traversal exploit, and their simultaneous shutdown led Fortinet to suspect the attack originated from a FortiManager device.

The company said these were highly targeted attacks against government networks and large organizations, with the attackers also showcasing "advanced capabilities," including reverse-engineering the FortiGate devices' operating system.

"The attack is highly targeted, with some hints of preferred governmental or government-related targets," Fortinet said.

"The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS."

Links to Chinese cyberspies

A new Mandiant report says the attacks occurred in mid-2022 and attributes them to a China-nexus threat group the company tracks as UNC3886.

"Chinese espionage operators' recent victims include DIB, government, telecoms, and technology," said Mandiant CTO Charles Carmakal.

"Given how incredibly difficult they are to find, most organizations cannot identify them on their own. It's not uncommon for Chinese campaigns to end up as multi-year intrusions."

While jointly investigating the incident with Fortinet, Mandiant found that, after breaching the Fortinet devices, UNC3886 backdoored them using two new malware strains for continued access to the victims' networks: a Python-based Thincrust backdoor and the ICMP port-knocking Castletap passive backdoor.

The threat actors initially accessed a FortiManager device accessible from the Internet before exploiting the CVE-2022-41328 zero-day flaw to write files that allowed them to move laterally through the network.

​After gaining persistence on FortiManager and FortiAnalyzer devices via the Thincrust backdoor, the group used FortiManager scripts to backdoor multiple FortiGate firewalls using Castletap.

Next, the attacker connected to ESXi and vCenter machines deploying VirtualPita and VirtualPie backdoors to maintain their hold on the compromised hypervisors and guest machines, ensuring their malicious activities would not be detected.

On devices configured to restrict access from the Internet, the attackers installed a traffic redirector (Tableflip) and a passive backdoor (Reptile) after pivoting from FortiGate firewalls previously backdoored using Castletap.

"We believe the targeting of these devices will continue to be the go to technique for espionage groups attempting to access hard targets," said Ben Read, Head of Mandiant Cyber Espionage Analysis at Google Cloud.

"This is due to their being accessible from the internet allowing actors to control the timing of the intrusion, and in the case of VPN devices and routers - the large amount of regular inbound connections makes blending in easier."