Chinese Hacker Group Exploits Fortinet and VMware Zero-Days
Chinese Hacker Group Exploits Fortinet and VMware Zero-Days

The Chinese hacker group UNC3886 has been actively exploiting zero-day security vulnerabilities within products from Fortinet and VMware to secure post-compromise access within targeted networks. Mandiant explains that this group uses advanced tactics, such as VM rootkits Reptile and Medusa and its own SSH servers to harvest credentials. Other backdoors the group uses are MOPSLED and RIFLESPINE, which use GitHub and Google Drive for command-and-control communication. They are attacking governments, telecommunications, technology, and aerospace. Their targets are more in North America, Southeast Asia, and Oceania.

The threat actor leverages several zero-day vulnerabilities, including CVE-2022-41328, CVE-2022-22948, and CVE-2023-20867, to deploy malware, including backdoors and credential harvesting tools. Their persistence mechanisms assure them of ongoing access even in cases where the outer layer of access is found and removed. These methods include leveraging existing rootkits for user credential capture and command execution. In addition, UNC3886 uses advanced evasion techniques, in combination with longitudinal espionage, to stay under the radar.

Some of the more advanced weapons of UNC3886 are MOPSLED and RIFLESPINE backdoors. MOPSLED is a modular implant centered around a shellcode that fetches plugins from a GitHub C2 server, while RIFLESPINE allows for file transfer and command execution using Google Drive. Additionally, the group has developed malware such as LOOKOVER, a sniffer targeting TACACS+ packets used in authentication, and other samples related to VMware instances to enhance their espionage capability.

Mandiant’s research suggests that the group is very agile and can easily shift tactics, still maintaining access and evading detection. Rootkits and backdoors used on VMs allow UNC3886 to remain disconnected from more common security measures. More sophisticated tools make protecting network devices, hypervisors, and VMs significant against such persistent threats.

Focus is, therefore, on the high-value sectors that have been targeted and at the core is the gathering of intelligence and sensitive information. Therefore, the grave danger that UNC3886 poses is the exploitation of zero-day vulnerabilities and persistent access to networks in various sectors. The custom tooling and malware deployment shows how technically capable and strategic the actors are with cyber espionage.

Related Posts
  Don't Miss Out!

Stay informed with Enfoa's bite-sized offensive cybersecurity newsletter. We value your time and deliver only the most interesting and impactful updates straight to your inbox.

Join over 10,000 companies that have already subscribe.

Newsletter