UNC3886 has been implicated in attacks that employ a novel malware to compromise sensitive government and defense networks via zero-day backdoors

Recent research revealed that threat actors, realizing that, since “since there are not many tools available” to defend against malicious activity on a router or an internet-connected device that sits within a corporate network, they tend to focus on this vector using novel malware against network security devices, including those used by government and defense organizations.

As a result, sophisticated espionage actors are able to sit and spy on target organizations for much longer periods of time without being detected. In one case this month, Fortinet had had to release a patch for a zero day (at the time) vulnerability in the operating system of multiple security devices.

The threat actor in this incident had been found to have used the following approach:

    1. Utilized a local directory traversal zero-day (CVE-2022-41328) exploit to write files to the system’s firewall disks outside of the normal bounds allowed with shell access
    2. Maintained persistent access with Super Administrator privileges within firewalls through ICMP port knocking
    3. Circumvented firewall rules active on the devices with a passive traffic redirection utility, enabling continued connections to persistent backdoors with Super Administrator privileges
    4. Established persistence on Fortinet security devices through a custom API endpoint created within the devices
    5. Disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files

Mandiant researchers, who discovered the exploit, attributed this activity to UNC3886, a group they  suspect is linked to China and associated with the novel VMware ESXi hypervisor malware framework disclosed in September 2022. At the time of the discovery, the researchers observed UNC3886 connecting directly from the Fortinet devices to VIRTUALPITA backdoors on multiple occasions.

Although the firm has not officially attributed the incident to China threat actors, its CTO Charles Carmakal had noted: “Chinese espionage operators’ recent victims include DIB, government, telecoms, and technology. Given how incredibly difficult (such intrusions) are to find, most organizations cannot identify them on their own. It’s not uncommon for Chinese campaigns to end up as multi-year intrusions.”