Mandiant has traced the attacks mounted by UNC3886 to Fortinet's FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants, known as THINCRUST and CASTLETAP. The group's ability to manipulate firewall firmware and exploit a zero-day vulnerability indicates they have a deeper level of understanding of such technologies. The attacks resulted in data loss and OS and file corruption, leading to the patching of the vulnerability, tracked as CVE-2022-41328.
Source: https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem |
Mitigation recommendations include regular patching of all software systems to prevent zero-day exploits, limiting internet-facing network devices, and implementing a defense-in-depth approach to network security. Organizations should also consider the deployment of EDR solutions to protect against advanced cyber espionage threat actors. Additionally, companies should monitor their networks for unusual activity and implement strict access controls to limit the potential damage of a successful attack.
In conclusion, the recent zero-day exploit in the Fortinet FortiOS operating system has been linked to a Chinese hacking group, UNC3886. The group's ability to exploit zero-day vulnerabilities in firewall and virtualization technologies indicates they have a deeper level of understanding of such technologies. Therefore, it is crucial for organizations to regularly patch all software systems, limit internet-facing network devices, and implement a defense-in-depth approach to network security. The deployment of EDR solutions and strict access controls can also protect against advanced cyber espionage threat actors.
0 Comments