Chinese Hacking Group UNC3886 Linked to Zero-Day Exploitation of Fortinet FortiOS Flaw

A recent report by threat intelligence firm Mandiant has revealed that a Chinese hacking group, UNC3886, has been linked to the exploitation of a zero-day vulnerability in the Fortinet FortiOS operating system. The group was able to use the vulnerability to deploy backdoors onto Fortinet and VMware solutions, allowing them to gain persistent access to victim environments. UNC3886 is described as an advanced cyber espionage group with unique capabilities in how they operate on-network and the tools they use in their campaigns. The group has previously been tied to another intrusion set targeting VMware ESXi and Linux vCenter servers.

Mandiant has traced the attacks mounted by UNC3886 to Fortinet's FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants, known as THINCRUST and CASTLETAP. The group's ability to manipulate firewall firmware and exploit a zero-day vulnerability indicates they have a deeper level of understanding of such technologies. The attacks resulted in data loss and OS and file corruption, leading to the patching of the vulnerability, tracked as CVE-2022-41328.


The persistence of the group, afforded by THINCRUST, is subsequently leveraged to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images. Additionally, the group employed TABLEFLIP, a network traffic redirection software, to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place. UNC3886 has been observed targeting firewall and virtualization technologies that lack EDR support, further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment.

Mitigation recommendations include regular patching of all software systems to prevent zero-day exploits, limiting internet-facing network devices, and implementing a defense-in-depth approach to network security. Organizations should also consider the deployment of EDR solutions to protect against advanced cyber espionage threat actors. Additionally, companies should monitor their networks for unusual activity and implement strict access controls to limit the potential damage of a successful attack.

In conclusion, the recent zero-day exploit in the Fortinet FortiOS operating system has been linked to a Chinese hacking group, UNC3886. The group's ability to exploit zero-day vulnerabilities in firewall and virtualization technologies indicates they have a deeper level of understanding of such technologies. Therefore, it is crucial for organizations to regularly patch all software systems, limit internet-facing network devices, and implement a defense-in-depth approach to network security. The deployment of EDR solutions and strict access controls can also protect against advanced cyber espionage threat actors.