A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware. The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices. Analysis revealed that the attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.
Mandiant CTO Charles Carmakal said, "Chinese espionage operators' recent victims include DIB, government, telecoms, and technology. Given how incredibly difficult they are to find, most organizations cannot identify them on their own. It's not uncommon for Chinese campaigns to end up as multi-year intrusions." Ben Read, Head of Mandiant Cyber Espionage Analysis at Google Cloud, added, "We believe the targeting of these devices will continue to be the go to technique for espionage groups attempting to access hard targets. This is due to their being accessible from the internet allowing actors to control the timing of the intrusion, and in the case of VPN devices and routers - the large amount of regular inbound connections makes blending in easier."