Attack Surface Management , Network Firewalls, Network Access Control , Security Operations

Chinese Hackers Targeting Security and Network Appliances

Fortinet Patches Zero-Day Exploited by Suspected Beijing Hacking Group UNC3886
Chinese Hackers Targeting Security and Network Appliances
Image: Shutterstock

Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch.

See Also: New OnDemand | Securing Skies: Network Firewalls and the Battle Against Zero-Day Threats in the Cloud

Researchers from Mandiant say suspected Beijing hackers it tracks as UNC3886 has been targeting chip-based firewall and virtualization boxes.

The group, it said in a Thursday blog post, exploited a now-patched path transversal zero-day vulnerability tracked as CVE-2022-41328 in the Fortinet operating system in order to gain persistence on FortiGate and FortiManager products. Such penetrations can give hackers years of interrupted access to internal networks.

A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor "specifically designed to run on FortiGate firewalls" (see: Fortinet VPN Flaw Shows Pitfalls of Security Appliances).

Victims of the campaign include firms in the defense sector, telecoms and technology and government agencies, Mandiant says. Beijing has a long-standing practice of stealing trade secrets in its bid to compete as a 21st-century superpower. U.S. intelligence agencies recently characterized China as representing "the broadest, most active and persistent cyberespionage threat to U.S. government and private-sector networks." The British government on Monday unveiled a new national agency dedicated to working with the private sector to stymie national security threats, including foreign hackers (UK Unveils Agency to Counter Threats to Private Sector).

Thursday's disclosure comes just days after Mandiant identified a suspected Chinese campaign targeting the SonicWall Secure Mobile Access appliance. The same group is also likely responsible for a campaign unmasked in September against VMware ESXi servers.

State-sponsored hackers with the wherewithal to deeply understand complex targets not covered by regular endpoint scanning are uniquely challenging, Mandiant says. Many appliances can't detect runtime modifications made to the underlying operating system and "require direct involvement of the manufacturer to collect forensic images."

"We believe the targeting of these devices will continue to be the go-to technique for espionage groups attempting to access hard targets," said Ben Read, head of the Mandiant cyberespionage analysis team.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.