Attack Surface Management , Network Firewalls, Network Access Control , Security Operations
Chinese Hackers Targeting Security and Network AppliancesFortinet Patches Zero-Day Exploited by Suspected Beijing Hacking Group UNC3886
Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Researchers from Mandiant say suspected Beijing hackers it tracks as UNC3886 has been targeting chip-based firewall and virtualization boxes.
The group, it said in a Thursday blog post, exploited a now-patched path transversal zero-day vulnerability tracked as CVE-2022-41328 in the Fortinet operating system in order to gain persistence on FortiGate and FortiManager products. Such penetrations can give hackers years of interrupted access to internal networks.
A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor "specifically designed to run on FortiGate firewalls" (see: Fortinet VPN Flaw Shows Pitfalls of Security Appliances).
Victims of the campaign include firms in the defense sector, telecoms and technology and government agencies, Mandiant says. Beijing has a long-standing practice of stealing trade secrets in its bid to compete as a 21st-century superpower. U.S. intelligence agencies recently characterized China as representing "the broadest, most active and persistent cyberespionage threat to U.S. government and private-sector networks." The British government on Monday unveiled a new national agency dedicated to working with the private sector to stymie national security threats, including foreign hackers (UK Unveils Agency to Counter Threats to Private Sector).
Thursday's disclosure comes just days after Mandiant identified a suspected Chinese campaign targeting the SonicWall Secure Mobile Access appliance. The same group is also likely responsible for a campaign unmasked in September against VMware ESXi servers.
State-sponsored hackers with the wherewithal to deeply understand complex targets not covered by regular endpoint scanning are uniquely challenging, Mandiant says. Many appliances can't detect runtime modifications made to the underlying operating system and "require direct involvement of the manufacturer to collect forensic images."
"We believe the targeting of these devices will continue to be the go-to technique for espionage groups attempting to access hard targets," said Ben Read, head of the Mandiant cyberespionage analysis team.