This article is more than 1 year old

Here's how Chinese cyber spies exploited a critical Fortinet bug

Looks to be the same baddies attacking VMware hypervisors last year

Suspected Chinese spies have exploited a critical Fortinet bug, and used custom networking malware to steal credentials and maintain network access, according to Mandiant security researchers.

Fortinet fixed the path transversal vulnerability in FortiOS, tracked as CVE-2022-41328, earlier this month. So get patching, if you haven't already.

A few days later, the vendor released a more detailed analysis. It indicated that miscreants were using the flaw in an attempt to attack large organizations, steal their data, and cause OS or file corruption: "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets."

And in a much more detailed report published today, Mandiant pinned the blame on Chinese hackers – with the (then) FortiOS zero day, and "multiple" bespoke malware families. 

Additionally, this same group of miscreants – Mandiant tracks the group as UNC3886 – was behind cyber espionage attacks that targeted VMware ESXi hypervisors last year, according to the Google-owned threat intel firm.

While the security researchers suspect the group is stealing credentials and sensitive data to support Beijing's goals, no official attribution has been made.

Just a hop, skip and a jump from VMware

At the time of the VMware ESXi hypervisor compromises, Mandiant's threat hunters spotted UNC3886 directly connect from FortiGate and FortiManager devices to a custom-built backdoor called VIRTUALPITA "on multiple occasions," according to the research posted today.

"Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet management IP addresses," the researchers observed. 

They also determined that the miscreants crippled security tools on the target systems. Analyzing these devices led to the discovery of yet another new malware family that Mandiant dubbed CASTLETAP, which is an ICMP port-knocking backdoor.

Breaking in to internet-connected security devices

There are two different attack paths that the suspected Chinese criminals have used to compromise Fortinet devices.

The first one, which occurred when the threat actor initially gained access to the Fortinet ecosystem while the FortiManager device was exposed to the internet, uses the CASTLETAP backdoor plus another novel malware named THINCRUST.

After gaining access to an internet-facing device, the criminals used the THINCRUST — a Python-based backdoor disguised as a legitimate API call — to establish persistence on FortiManager and FortiAnalyzer devices. Then, they used FortiManager scripts to deploy  the CASTLETAP backdoor across multiple FortiGate firewalls. These scripts took advantage of CVE-2022-41328.

The spies exploited the path traversal vulnerability by using the command "execute wireless-controller hs20-icon upload-icon." Normally, this command is used to upload icon files from a server to a FortiGate firewall, where they can be used in HotSpot 2.0 Online Sign-Up portals (HotSpot 2.0 allows devices to switch seamlessly between cellular data and public Wi-Fi). Unfortunately the command had two serious issues, as Mandiant researchers explained:

The command did not validate the type of file being uploaded and was susceptible to a directory traversal exploit allowing a threat actor with Super Administrator privileges to upload a file smaller than 65,535 bytes to any location on the file system. This means that outside of the size constraints of the command, a threat actor could replace any legitimate system file on the FortiGate firewall.

Additionally, in this attack path with FortiManager exposed, Mandiant spotted SSH connections from the Fortinet devices to the ESXI servers, which allowed the miscreants to deploy VIRTUALPITA malware on the VMware systems. In that way they gained persistent access to the hypervisors and were able to execute commands on guest virtual machines.

The second attack patch was used when FortiManager devices weren't exposed to the internet. In these attacks, the devices used network access control lists (ACLs) to restrict external access to only TCP port 541.

To get around the ACLs, the evildoers used a traffic redirector (TABLEFLIP) and a reverse shell backdoor (REPTILE) on the FortiManager device, and then access the backdoor directly from the internet to main access to the environment.

Sensing a pattern yet?

Mandiant's latest Fortinet research comes a week after the researchers published a similar tale of suspected Chinese spies targeting SonicWall gateways and infecting those security devices with credential-stealing malware.

Ben Read, head of Mandiant Cyber Espionage Analysis at Google Cloud, told The Register that in fact it's the fifth such blog Mandiant has put out in the past two years about China using network devices and other systems exposed to the internet.

"We believe the targeting of these devices will continue to be the go-to technique for espionage groups attempting to access hard targets," Read said.

"This is due to their being accessible from the internet, allowing actors to control the timing of the intrusion – and in the case of VPN devices and routers, the large amount of regular inbound connections makes blending in easier." 

"Organizations – especially those in industries historically targeted by Chinese espionage – should take steps to both harden these devices and monitor them for suspicious activity," he warned. ®

More about


Send us news

Other stories you might like