UNC3886 Chinese hackers target telecoms, government, technology, DIB in espionage attacks, Mandiant discloses

Threat intelligence firm Mandiant has investigated dozens of intrusions at defense industrial base (DIB), government, technology, and telecommunications organizations over the years where suspected UNC3886 Chinese-nexus groups have exploited zero-day vulnerabilities and deployed custom malware to steal user credentials and maintain long-term access to the victim environments. These hackers have been identified to ‘continue to target technologies that do not support endpoint detection and response (EDR) solutions such as firewalls, IoT devices, hypervisors, and VPN technologies.’

The Mandiant research team attributed in a Thursday blog post the adversarial activity to the UNC3886 group associated with the novel VMware ESXi hypervisor malware framework disclosed last September. The UNC3886 cyber espionage group comes with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns, and have been observed targeting firewall and virtualization technologies that lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper level of understanding of such technologies. UNC3886 has modified publicly available malware, targeting *nix operating systems.

In February, ​​U.S. security agencies published a joint Cybersecurity Advisory (CSA) in response to the ongoing ESXiArgs ransomware campaign. Hackers could be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. Furthermore, the ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.

The researchers said that they often observe cyber espionage operators exploiting zero-day vulnerabilities and deploying custom malware to Internet-exposed systems as an initial attack vector. They also identify instances where the suspected China-nexus hackers likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments. This involved the use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) and the deployment of multiple custom malware families on Fortinet and VMware systems.

 “At the time of the ESXi hypervisor compromises, Mandiant observed UNC3886 directly connect from FortiGate and FortiManager devices to VIRTUALPITA backdoors on multiple occasions,” they added.

Another threat cluster unrelated to UNC3886, suspected to be from China, has recently been observed targeting zero-day vulnerabilities in Fortinet as reported by Mandiant in mid-January of 2023. At the time, researchers identified a suspected China-nexus campaign called ‘BOLDMOVE’ believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, as a zero-day. Mandiant continues to gather evidence and identify overlaps between UNC3886 and other groups that are attributed to Chinese APT.

Mandiant further detailed that in mid-2022 it collaborated with Fortinet to investigate the exploitation and deployment of malware across multiple Fortinet solutions including FortiGate (firewall), FortiManager (centralized management solution), and FortiAnalyzer (log management, analytics, and reporting platform). 

The researchers identified that the steps that generally describe the actions the hacker took included using a local directory traversal zero-day (CVE-2022-41328) exploit to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access. They also maintained persistent access with ‘Super Administrator’ privileges within FortiGate firewalls through ICMP port knocking, and circumvented firewall rules active on FortiManager devices with a passive traffic redirection utility, enabling continued connections to persistent backdoors with Super Administrator privileges.

Additionally, the hackers established persistence on FortiManager and FortiAnalyzer devices through a custom API endpoint created within the device, and disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.

Mandiant observed two distinct attack lifecycles where the threat actor abused Fortinet technologies to establish network access. The first occurred when the threat actor initially gained access to the Fortinet ecosystem while the FortiManager device was exposed to the internet.

During this attack lifecycle, backdoors disguised as legitimate API calls (THINCRUST) were deployed across both FortiAnalyzer and FortiManager devices. Once persistence was established across the two devices, FortiManager scripts were used to deploy backdoors (CASTLETAP) across the FortiGate devices.

Mandiant observed SSH connections from the Fortinet devices to the ESXi servers, followed by the installation of malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors. This enabled the threat actor persistent access to the hypervisors and allowed the attacker to execute commands on guest virtual machines.

At present, “Mandiant has no evidence of a zero-day vulnerability being used to gain initial access or deploy the malicious VIBs at the time of writing this post. VIRTUALPITA and VIRTUALPIE were discussed in more detail in a previous Mandiant blog post published in September 2022,” the researchers added.

The second attack lifecycle occurred where the FortiManager devices had network Access Control Lists (ACL) put in place to restrict external access to only TCP port 541 (FortiGate to FortiManager Protocol). During this attack lifecycle, the threat actor deployed a network traffic redirection utility (TABLEFLIP) and reverse shell backdoor (REPTILE) on the FortiManager device to circumvent the new ACLs. With the redirection rules established by the TABLEFLIP utility, the hackers were able to access the REPTILE backdoor directly from the Internet for continued access to the environment.

Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet management IP addresses, the researchers revealed. “Additionally, the FortiGate devices with Federal Information Processing Standards (FIPS) compliance mode enabled failed to boot after it was later rebooted. When FIPS mode is enabled, a checksum of the operating system is compared with the checksum of a clean image. Since the operating system was tampered with by the threat actor, the checksum comparison failed, and the FortiGate Firewalls protectively failed to startup,” they added. 

With assistance from Fortinet, Mandiant acquired a forensic image of these failing devices, prompting the discovery of the ICMP port-knocking backdoor CASTLETAP, the researchers identified. “Once executed, CASTLETAP created a raw promiscuous socket to sniff network traffic. CASTLETAP then filtered and XOR decoded a 9-byte magic activation string in the payload of an ICMP echo request packet. To decode the C2 information within the ICMP packet, a single-byte XOR key was derived from the Epoch date stamp to decrypt the payload data. This meant the encoding standard changed every day,” they added.

“When the C2 IP address and port was parsed from the activation packet, CASTLETAP initiated a connection to the C2 over an SSL socket. Once this connection was established, CASTLETAP expected the C2 server to initiate a handshake with the 16-byte sequence, echoing the same sequence in response,” the researchers added. “Once connected to the C2, CASTLETAP could accept multiple types of commands over SSL. When a command was successfully received, the backdoor returned the sequence ‘;7(Zu9YTsA7qQ#vw’ as an acknowledgement token; this same string was also sent to signal session termination.”

They added that once CASTLETAP was deployed to the FortiGate firewalls, the threat actor connected to ESXi and vCenter machines. The threat actor deployed VIRTUALPITA and VIRTUALPIE to establish persistence, allowing for continued access to the hypervisors and the guest machines.

In conclusion, Mandiant said that the UNC3886 activity is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions. This presents a unique challenge for investigators as many network appliances lack solutions to detect runtime modifications made to the underlying operating system and require the direct involvement of the manufacturer to collect forensic images. 

It added that cross-organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.

In its latest Internet Crime Complaint Center (IC3), the FBI reported that it has seen an increase in an additional extortion tactic used to facilitate ransomware in 2022, as the number of reported ransomware incidents has decreased. The hackers pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom. The IC3 report comes in the wake of the cyber landscape providing ample opportunities for criminals and adversaries to target U.S. networks, attack critical infrastructure, hold money and data for ransom, facilitate large-scale fraud schemes, and threaten national security.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.