UNC3886 Uses Fortinet, VMware 0-Days and Stealth Tactics in Long-Term Spying

June 19, 2024

The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments.

"Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated," Mandiant researchers said in a new report.

The threat actor in question is UNC3886, which the Google-owned threat intelligence company branded as "sophisticated, cautious, and evasive."

Attacks orchestrated by the adversary have leveraged zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to perform various malicious actions, ranging from deploying backdoors to obtaining credentials for deeper access.

It has also been observed exploiting CVE-2022-42475, another shortcoming impacting Fortinet FortiGate, shortly after its public disclosure by the network security company.

These intrusions have primarily singled out entities in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia. Targeted industries span governments, telecommunications, technology, aerospace and defense, and energy and utility sectors.

A notable tactic in UNC3886's arsenal is that it developed techniques that evade security software and enable it to burrow into government and business networks and spy on victims for extended periods of time without detection.

This entails the use of publicly available rootkits like Reptile and Medusa on guest virtual machines (VMs), the latter of which is deployed using an installer component dubbed SEAELF.

"Unlike Reptile, which only provides an interactive access with rootkit functionalities, Medusa exhibits capabilities of logging user credentials from the successful authentications, either locally or remotely, and command executions," Mandiant noted. "These capabilities are advantageous to UNC3886 as their modus operandi to move laterally using valid credentials."

Also delivered on the systems are two backdoors named MOPSLED and RIFLESPINE that take advantage of trusted services like GitHub and Google Drive as command-and-control (C2) channels.

MOPSLED, a likely evolution of the Crosswalk malware, is a shellcode-based modular implant that communicates over HTTP to retrieve plugins from a GitHub C2 server, while RIFLESPINE is a cross-platform tool that makes use of Google Drive to transfer files and execute commands.

Mandiant said it also spotted UNC3886 deploying backdoored SSH clients to harvest credentials post the exploitation of CVE-2023-20867 as well as leveraging Medusa to set up custom SSH servers for the same purpose.

"The threat actor's first attempt to extend their access to the network appliances by targeting the TACACS server was the use of LOOKOVER," it noted. "LOOKOVER is a sniffer written in C that processes TACACS+ authentication packets, performs decryption, and writes its contents to a specified file path."

Some of the other malware families delivered during the course of attacks aimed at VMware instances are below -

A trojanized version of a legitimate TACACS daemon with credential-logging functionality
VIRTUALSHINE, a VMware VMCI sockets-based backdoor that provides access to a bash shell
VIRTUALPIE, a Python backdoor that supports file transfer, arbitrary command execution, and reverse shell capabilities
VIRTUALSPHERE, a controller module associated with a VMCI-based backdoor

Over the years, virtual machines have become lucrative targets for threat actors owing to their widespread use in cloud environments.

"A compromised VM can provide attackers with access to not only the data within the VM instance but also the permissions assigned to it," Palo Alto Networks Unit 42 said. "As compute workloads like VMs are generally ephemeral and immutable, the risk posed by a compromised identity is arguably greater than that of compromised data within a VM."

Organizations are advised to follow the security recommendations within the Fortinet and VMware advisories to secure against potential threats.