Fortinet recently announced that a zero-day vulnerability in FortiOS, tracked as CVE-2022-41328, had been identified and exploited in attacks aimed at government organizations. Google-owned cybersecurity firm Mandiant reported that the attacks were likely conducted by a Chinese state-sponsored threat actor, UNC3886. According to Mandiant, the attackers used custom implants and a deep understanding of FortiOS and the underlying hardware to exploit the vulnerability, bypassing firewall rules and disabling OpenSSL digital signature verification of system files, in order to maintain persistent access.
Fortinet released patches for the vulnerability on March 7 and released some details about the attacks two days later, including indicators of compromise (IoC). On Thursday, Mandiant revealed that the attacks were conducted by a cyberespionage group it tracks as UNC3886, which they believe is working in support of the Chinese government’s goals. Additionally, Mandiant believes UNC3886 was also behind attacks observed last year that involved the installation of persistent backdoors on VMware ESXi hypervisors.
Mandiant also collaborated with Fortinet last year to investigate the deployment of malware on various Fortinet products. To increase the security of their products, Fortinet and Mandiant have urged organizations, especially those in industries historically targeted by Chinese espionage, to harden their devices and monitor them for suspicious activity.
In summary, Fortinet recently warned of a zero-day vulnerability in FortiOS that was exploited in attacks targeting government organizations. Google-owned cybersecurity firm Mandiant identified the threat actor as UNC3886, which they believe is working in support of the Chinese government’s goals. Organizations should take steps to harden their devices and monitor them for suspicious activity.
Key Points:
- Fortinet recently warned of a zero-day vulnerability in FortiOS that was exploited in attacks targeting government organizations.
- Google-owned cybersecurity firm Mandiant identified the threat actor as UNC3886, which they believe is working in support of the Chinese government’s goals.
- The attackers used custom implants and a deep understanding of FortiOS and the underlying hardware to exploit the vulnerability and maintain persistent access.
- Organizations should take steps to harden their devices and monitor them for suspicious activity.