Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack

Mar 18, 2023: A zero-day exploit of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group by threat intelligence firm Mandiant. The attack has been tracked under the uncategorized moniker UNC3886 and is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access.

The vulnerability, CVE-2022-41328, was patched by Fortinet on March 7, 2023 and was exploited by the adversaries to target Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. THINCRUST is a Python backdoor capable of executing arbitrary commands as well as reading and writing from and to files on disk. The persistence afforded by THINCRUST is subsequently leveraged to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images. CASTLETAP is a payload that beacons out to an actor-controlled server to accept incoming instructions to run commands, fetch payloads, and exfiltrate data from the compromised host.

In addition to the two implants, the threat actor was also using a utility called TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place. The attacks mounted by UNC3886 have highlighted the danger of zero-day vulnerabilities, with China-aligned hacking crews becoming particularly proficient at exploiting them.

Key Points:

• A zero-day exploit of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.

• The attack has been tracked under the uncategorized moniker UNC3886 and is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access.

• The adversaries targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP.

• In addition to the two implants, the threat actor was also using a utility called TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device.

• The attacks mounted by UNC3886 have highlighted the danger of zero-day vulnerabilities, with China-aligned hacking crews becoming particularly proficient at exploiting them.