Chinese Cyber Espionage Group UNC3886 Exploits Fortinet and VMware Zero-Days

June 19, 2024

A cyber espionage group, UNC3886, with connections to China, has been found exploiting zero-day vulnerabilities in security devices from Fortinet, Ivanti, and VMware. The group uses a variety of persistence mechanisms to maintain ongoing access to compromised systems. As quoted in a report by Mandiant researchers, "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated."

The group, labelled as "sophisticated, cautious, and evasive" by the Google-owned threat intelligence company, has leveraged zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to execute a range of malicious actions. These actions include deploying backdoors and obtaining credentials for deeper system access. The group has also exploited CVE-2022-42475, a vulnerability affecting Fortinet FortiGate, shortly after its public disclosure.

The attacks orchestrated by UNC3886 have primarily targeted entities in North America, Southeast Asia, and Oceania, but victims have also been identified in Europe, Africa, and other parts of Asia. The industries targeted span a wide range, including governments, telecommunications, technology, aerospace and defense, and energy and utility sectors. A notable aspect of UNC3886's strategy is its ability to develop techniques that evade security software, enabling it to infiltrate government and business networks and spy on victims for extended periods without detection.

UNC3886 employs publicly available rootkits like Reptile and Medusa on guest virtual machines (VMs), the latter of which is deployed using an installer component known as SEAELF. As Mandiant noted, "Unlike REPTILE, which only provides an interactive access with rootkit functionalities, MEDUSA exhibits capabilities of logging user credentials from the successful authentications, either locally or remotely, and command executions." These capabilities allow UNC3886 to move laterally using valid credentials.

The group also deploys two backdoors named MOPSLED and RIFLESPINE that exploit trusted services like GitHub and Google Drive for command-and-control (C2) channels. MOPSLED is a shellcode-based modular implant that communicates over HTTP to retrieve plugins from a GitHub C2 server, while RIFLESPINE is a cross-platform tool that uses Google Drive to transfer files and execute commands.

Mandiant also observed UNC3886 deploying backdoored SSH clients to harvest credentials after exploiting CVE-2023-20867, as well as using Medusa to set up custom SSH servers for the same purpose. The group's first attempt to extend their access to network appliances by targeting the TACACS server involved the use of LOOKOVER, a sniffer that processes TACACS+ authentication packets, decrypts them, and writes its contents to a specified file path.

Virtual machines have become attractive targets for threat actors due to their widespread use in cloud environments. A compromised VM can provide attackers with access to not only the data within the VM instance but also the permissions assigned to it. Organizations are advised to follow the security recommendations within the Fortinet and VMware advisories to protect against potential threats.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.