Few solutions are available for use to detect malicious activity on a vulnerable router or an internet-connected device

In March this year, Fortinet had had to release a patch for a zero day vulnerability (CVE-2022-41328) after being notified of sudden system halts and boot failures in its devices.

The affected devices had, starting in mid-2022, been reported to have halted with the following error message: “System enters error-mode due to FIPS error: Firmware Integrity self-test failed”.

Investigations had discovered that portions of the Fortinet device’s firmware image had been modified, and a new file had been added. The modified code was executed before regular boot-up operations, and ensured that the device would provide an attacker with persistent access and control. At the time, the exploit was suspected to be from UNC3886, a group China-based espionage group linked to the VMware ESXi hypervisor malware framework threat.

Now, investigators from Mandiant have concluded that the attack originated from a sophisticated, suspected Chinese actor using a novel malware designed to run on network security devices; including those used by government and defense organizations. However, no official attribution has been made.

According to the firm, this is an on-going pattern as Chinese threat actors have realized there simply is no good way to detect malicious activity on a router, or an internet-connected device that sits within a corporate network. This is because not many tools are available to defend these systems. As a result, sophisticated Chinese espionage actors are able to sit and spy on companies for much longer periods of time without being detected. 

Said Charles Carmakal, CTO, Mandiant Consulting: “Chinese espionage operators’ recent victims include defense industrial bases, governments, telecoms, and technology. Given how incredibly difficult they are to find, most organizations cannot identify them on their own. It’s not uncommon for Chinese campaigns to end up as multi-year intrusions. We hope this information and the accompanying hardening steps help more organizations to uncover these long standing breaches sooner.”