Security News > 2023 > March > Fortinet zero-day attacks linked to suspected Chinese hackers
A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability to deploy malware.
The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices, as Fortinet disclosed last week.
The firewalls were compromised using a CVE-2022-41328 FortiGate path traversal exploit, and their simultaneous shutdown led Fortinet to suspect the attack originated from a FortiManager device.
The company said these were highly targeted attacks against government networks and large organizations, with the attackers also showcasing "Advanced capabilities," including reverse-engineering the FortiGate devices' operating system.
While jointly investigating the incident with Fortinet, Mandiant found that, after breaching the Fortinet devices, UNC3886 backdoored them using two new malware strains for continued access to the victims' networks: a Python-based Thincrust backdoor and the ICMP port-knocking Castletap passive backdoor.
On devices configured to restrict access from the Internet, the attackers installed a traffic redirector and a passive backdoor after pivoting from FortiGate firewalls previously backdoored using Castletap.
News URL
Related news
- Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack (source)
- Fortinet: New FortiOS bug used as zero-day to attack govt networks (source)
- Researchers Uncover Chinese Nation State Hackers' Deceptive Attack Strategies (source)
- Google Fi data breach let hackers carry out SIM swap attacks (source)
- GoAnywhere MFT zero-day vulnerability lets hackers breach servers (source)
- Warning: Hackers Actively Exploiting Zero-Day in Fortra's GoAnywhere MFT (source)
- Hackers backdoor Windows devices in Sliver and BYOVD attacks (source)
- Clop ransomware claims to be behind GoAnywhere zero-day attacks (source)
- Chinese Tonto Team Hackers' Second Attempt to Target Cybersecurity Firm Group-IB Fails (source)
- Patch Now: Apple's iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-07 | CVE-2022-41328 | Path Traversal vulnerability in Fortinet Fortios A improper limitation of a pathname to a restricted directory vulnerability ('path traversal') [CWE-22] in Fortinet FortiOS version 7.2.0 through 7.2.3, 7.0.0 through 7.0.9 and before 6.4.11 allows a privileged attacker to read and write files on the underlying Linux system via crafted CLI commands. | 7.1 |