Chinese Nation-State Actors Exploit Critical Fortinet Bug
March 17th, 2023 |
Chinese nation-state attackers are actively exploiting a critical Fortinet bug to steal credentials and create network access that bypasses the firewall.
Fortinet has issued a patch that addresses the path transversal vulnerability in FortiOS, tracked as CVE-2022-41328. The vendor indicated that miscreants were using this flaw in an attempt to attack large organizations, steal their data, and cause OS or file corruption.
In a more detailed report released today, cyber security researchers at Mandiant security pinned the blame on Chinese hackers – with the FortiOS zero-day vulnerability, and “multiple” bespoke malware families.
These threat actors operate under the name UNC3886 and are known for multiple cyber espionage attacks. This group is suspected of stealing credentials and sensitive data in order to support Beijing’s goals, but no official attribution has been made.
There are two different attack paths that the suspected Chinese criminals have used to compromise Fortinet devices. The first path occurred when the threat actor initially gained access to the Fortinet ecosystem while the FortiManager device was exposed to the internet, using the CASTLETAP backdoor.
A second novel malware, named THINCRUST, was used when FortiManager devices weren’t exposed to the internet. To get around Fortinet’s firewall policies, the threat group used a traffic redirector (TABLEFLIP) and a reverse shell backdoor (REPTILE) on the FortiManager device.
In these attacks, the attackers hijacked the victim’s network creating backdoors as well as controlling all access in and out.
Cyber Insurance carriers have been using Acreto for the past few years to easily mitigate a variety of vulnerabilities in Fortinet, Watchguard and other Internet facing security tools. The Acreto platform is always up-to-date and deploys in under 30 minutes. Most importantly, it deploys transparently without the need to rip-and-replace your existing products in order to become secure.
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.