Security News > 2023 > March > Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack
The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.
Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.
The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886, a China-nexus threat actor.
"UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers said in a technical analysis.
It's worth noting that the adversary was previously tied to another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE. The latest disclosure from Mandiant comes as Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor by leveraging a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.
"The activity is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions," Mandiant said.
- Fortinet zero-day attacks linked to suspected Chinese hackers (source)
- Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection (source)
- Cyber Espionage Group Earth Kitsune Deploys WhiskerSpy Backdoor in Latest Attacks (source)
- Hackers now exploit critical Fortinet bug to backdoor servers (source)
- Fortinet: New FortiOS bug used as zero-day to attack govt networks (source)
- UK warns of increased attacks from Russian, Iranian hackers (source)
- Google Fi data breach let hackers carry out SIM swap attacks (source)
- North Korean Hackers Exploit Unpatched Zimbra Devices in 'No Pineapple' Campaign (source)
- GoAnywhere MFT zero-day vulnerability lets hackers breach servers (source)
- Warning: Hackers Actively Exploiting Zero-Day in Fortra's GoAnywhere MFT (source)