Cybersecurity company Mandiant has warned of a cyber espionage threat targeting Fortinet network technologies that do not support endpoint detection and response solutions. This enabled Chinese attackers to deploy custom credential stealing malware and maintain persistent access to victim environments.
Suspected Chinese threat actors used a zero-day vulnerability in Fortinet’s FortiOS to maintain long-term access to victim environments. The threat actors then deployed multiple custom malware families on Fortinet and VMware systems, as described by the company in a blog post.
The attackers utilized techniques including:
- Deployment of a local directory traversal zero-day vulnerability in FortiOS (CVE-2022-41328) to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access. This provided persistent access to Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.
- Establishing persistence access on FortiManager and FortiAnalyzer devices through a custom API endpoint and disabling OpenSSL 1.1.0 digital signature verification by corrupting boot files.
- Circumventing firewall rules active on FortiManager devices with a passive traffic redirection utility. This enabled persistent backdoors with Super Administrator privileges.
Mandiant discovered that FortiGate and FortiManager devices were likely compromised as a result of connections to VIRTUALPITA from Fortinet management IP addresses. FortiGate devices with Federal Information Processing Standards (FIPS) compliance mode enabled also failed to boot after being rebooted. This was a result of the operating systems being tampered with by the attackers. Fortinet helped Mandiant obtain a forensic image of a failing device, leading to the discovery of the CASTLETAP backdoor that used ICMP port knocking.
Mandiant attributed the espionage activity to UNC3886, a group with a China-nexus suspected of being associated with a VMware ESXi hypervisor malware framework disclosed in September 2022.
Finally, technologies that lack EDR solutions creates a challenge for investigators. Network appliances may lack tools to detect runtime modifications and require manufacturer assistance to collect forensic images. Cross-organizational communication and collaboration are crucial to alert manufacturers of new attack methods and for investigators to gain insights into these attacks, according to the Mandiant researchers.