Headline
Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
By Deeba Ahmed According to researchers, multiple Fortinet products were impacted by this vulnerability, including FortiManager, FortiGate, and FortiAnalyzer. This is a post from HackRead.com Read the original post: Chinese Hackers Exploiting 0-day Vulnerability in Fortinet Products
****Mandiant believes that a group with links to China, identified as UNC3886, is exploiting this vulnerability.****
According to the cybersecurity researchers at Google-owned Mandiant, Chinese espionage actors are suspected of exploiting a critical vulnerability in Fortinet using custom networking malware to steal credentials and retain access to the network. The attacks were observed in mid-2022.
Critical Vulnerability in FortiOS Aiding Chinese Spies
Mandiant researchers explained that the bug is a local directory traversal zero-day vulnerability present in FortiOS, tracked as CVE-2022-41328, and was patched by Fortinet earlier in March 2023.
Researchers believe a threat actor with links to China accessed victim environments and deployed backdoors into Fortinet and VMware software to maintain persistence, achieved through the zero-day vulnerability, which the attacker used to deploy multiple custom malware strains on the OS.
Which Products Are Vulnerable?
According to Mandiant’s investigation, conducted in collaboration with Fortinet, multiple Fortinet products were impacted by this vulnerability, including FortiManager, FortiGate, and FortiAnalyzer. The attackers exploit the flaw to target large organizations, steal sensitive data, and implement file or OS corruption.
“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.”
“The exploit requires a deep understanding of FortiOS and the underlying hardware. Custom implants show that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS,” Mandiant’s report read.
How is it Being Exploited?
The attacker used the CVE-2022-41328 exploit to write files to FortiGate disks, which is outside the normal limits allowed with shell access. After gaining Super Administrator privileges within the firewall via ICMP port knocking, the invader maintained persistent access.
They also circumvented active firewall rules on FortiManager devices with a passive traffic redirection utility. This allowed the attacker to establish a continuous connection to persistent backdoors with Super Admin privileges.
Using a custom API endpoint created on the targeted device, the attacker established persistence on FortiAnalyzer and FortiManager devices. They can also disable OpenSSL 1.1.0 digital signature verification of system files by corrupting boot files.
Who is the Attacker?
Mandiant believes that a group with links to China, identified as UNC3886, is exploiting this vulnerability. This group is linked with the novel VMware ESXi hypervisor malware framework discovered in September 2022. At that time, Mandiant researchers noticed that UNC3886 was directly connected with FortiManager and FortiGate devices having VIRTUALPITA backdoors.
According to Mandiant CTO Charles Carmakal, Chinese threat actors have recently targeted DIB, telecoms, government, and technology. Since detecting if a system has been invaded is hard, the intrusions can carry on for years.
That’s why it is necessary for organizations to improve the security of these devices and keep checking for suspicious activity, researchers concluded.
- Chinese Hackers Hiding Malware in Windows Logo
- Chinese Hackers Target Group-IB Cybersecurity Firm
- Login data of Fortinet VPN users dumped in plain-text
- Fortinet products bypassed to compromise companies
- Chinese Sharp Panda group drops SoulSearcher malware
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
An advanced China-nexus cyber espionage group previously linked to the exploitation of security flaws in VMware and Fortinet appliances has been linked to the abuse of a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. "UNC3886 has a track record of utilizing zero-day vulnerabilities to complete their mission without being detected, and this latest example further
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group. Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.
Patched earlier this month, a code-execution vulnerability is the latest FortiOS weakness to be exploited by attackers, who see the devices as well-placed targets for initial access operations.
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands.