Chinese hacking group UNC3886 infiltrated a defense industry organization's network with a stealthy and complex attack, exploiting a zero-day flaw in Fortinet's FortiOS (CVE-2022-41328). The attack was discovered after more than a dozen Fortinet FortiGate firewalls crashed and failed to reboot properly. According to Kevin Mandia, CEO of Mandiant at Google Cloud, the firewall failure was a stroke of luck, as it might have taken 'a very long time' for the attack to be detected otherwise.
Mandiant's incident response team collaborated with Fortinet in the breach investigation, discovering that the attackers had hacked into FortiGate firewalls, Fortinet's management platform FortiManager, and its log and reporting tool FortiAnalyzer. The attackers employed an old-school directory path traversal attack, exploiting the zero-day flaw that allowed them to read and write files on the firewall disks via command-line interface instructions. They also gained super-administrator privileges in the firewalls, bypassed firewall rules on FortiManager, and set up a virtual API endpoint on FortiManager with a custom malware framework they built for VMware ESXi hypervisors and on FortiAnalyzer to anchor deep in the network infrastructure. Additionally, they disabled the system's digital signature verification step by corrupting boot files.
Embedding inside the firewalls and on virtual hardware kept UNC3886 out of sight from endpoint detection and response (EDR) systems that could have exposed them had they gone after workstations. As EDR improves, Mandia explains that attacks are being pushed onto firewalls. He says it was a near 'perfect' scheme to hide in a space where they are mostly undetectable, and it's especially difficult for incident responders to uncover them and their tracks. 'They could hack an infrastructure. If you’re on offense and you’re literally sitting on firewalls and virtual hardware, there's no EDR to catch you,' he says.
This attack underscored a major shift in China's tradecraft. 'The news on offense was China had its most innovative year,' Mandia says. 'Everybody got better, but China got way better' last year in its nation-state attack operations. What was most unusual was how the Chinese hacking team meticulously deleted logs and traces of their activity on the victim's network, a departure from traditional Chinese hacking groups' practices. 'They never really cleaned up file logs. But when they were on the Fortinet boxes, they were cleaning up their access and Web logs, doing a set of commands and then stripping out IP addresses from logs,' Mandia says. He describes the UNC3886 campaign as the 'apex attack' of 2022.
Mandia also discussed the use and abuse of generative AI, which he believes will be especially useful for defenders and researchers. He envisions generative AI accelerating vulnerability discovery and code development, giving defenders an advantage. Mandiant is currently developing its own AI-based discovery tool. 'AI is going to be a shift change,' he says. 'You can feel it.'