Security News > 2023 > March > Here's how Chinese cyber spies exploited a critical Fortinet bug

Suspected Chinese spies have exploited a critical Fortinet bug, and used custom networking malware to steal credentials and maintain network access, according to Mandiant security researchers.

"Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet management IP addresses," the researchers observed.

There are two different attack paths that the suspected Chinese criminals have used to compromise Fortinet devices.

The first one, which occurred when the threat actor initially gained access to the Fortinet ecosystem while the FortiManager device was exposed to the internet, uses the CASTLETAP backdoor plus another novel malware named THINCRUST. After gaining access to an internet-facing device, the criminals used the THINCRUST - a Python-based backdoor disguised as a legitimate API call - to establish persistence on FortiManager and FortiAnalyzer devices.

Mandiant's latest Fortinet research comes a week after the researchers published a similar tale of suspected Chinese spies targeting SonicWall gateways and infecting those security devices with credential-stealing malware.

Ben Read, head of Mandiant Cyber Espionage Analysis at Google Cloud, told The Register that in fact it's the fifth such blog Mandiant has put out in the past two years about China using network devices and other systems exposed to the internet.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/17/chinese_cyberspies_fortinet_bug/