China’s Cyberattack Tradecraft Evolves, Targets Fortinet Firewalls

May 2, 2023

Chinese hacking group UNC3886 infiltrated a defense industry organization's network with a stealthy and complex attack, exploiting a zero-day flaw in Fortinet's FortiOS (CVE-2022-41328). The attack was discovered after more than a dozen Fortinet FortiGate firewalls crashed and failed to reboot properly. According to Kevin Mandia, CEO of Mandiant at Google Cloud, the firewall failure was a stroke of luck, as it might have taken 'a very long time' for the attack to be detected otherwise.

Mandiant's incident response team collaborated with Fortinet in the breach investigation, discovering that the attackers had hacked into FortiGate firewalls, Fortinet's management platform FortiManager, and its log and reporting tool FortiAnalyzer. The attackers employed an old-school directory path traversal attack, exploiting the zero-day flaw that allowed them to read and write files on the firewall disks via command-line interface instructions. They also gained super-administrator privileges in the firewalls, bypassed firewall rules on FortiManager, and set up a virtual API endpoint on FortiManager with a custom malware framework they built for VMware ESXi hypervisors and on FortiAnalyzer to anchor deep in the network infrastructure. Additionally, they disabled the system's digital signature verification step by corrupting boot files.

Embedding inside the firewalls and on virtual hardware kept UNC3886 out of sight from endpoint detection and response (EDR) systems that could have exposed them had they gone after workstations. As EDR improves, Mandia explains that attacks are being pushed onto firewalls. He says it was a near 'perfect' scheme to hide in a space where they are mostly undetectable, and it's especially difficult for incident responders to uncover them and their tracks. 'They could hack an infrastructure. If you’re on offense and you’re literally sitting on firewalls and virtual hardware, there's no EDR to catch you,' he says.

This attack underscored a major shift in China's tradecraft. 'The news on offense was China had its most innovative year,' Mandia says. 'Everybody got better, but China got way better' last year in its nation-state attack operations. What was most unusual was how the Chinese hacking team meticulously deleted logs and traces of their activity on the victim's network, a departure from traditional Chinese hacking groups' practices. 'They never really cleaned up file logs. But when they were on the Fortinet boxes, they were cleaning up their access and Web logs, doing a set of commands and then stripping out IP addresses from logs,' Mandia says. He describes the UNC3886 campaign as the 'apex attack' of 2022.

Mandia also discussed the use and abuse of generative AI, which he believes will be especially useful for defenders and researchers. He envisions generative AI accelerating vulnerability discovery and code development, giving defenders an advantage. Mandiant is currently developing its own AI-based discovery tool. 'AI is going to be a shift change,' he says. 'You can feel it.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.