Several attacks against government organizations involving the exploitation of a Fortinet FortiOS vulnerability, tracked as CVE-2022-41328, since the middle of last year have been attributed to China-linked attackers UNC3886, reports BleepingComputer. After compromising vulnerable Fortinet devices, UNC3886 proceeded to deploy the Python-based Thincrust backdoor to establish system persistence, while the Castletap backdoor was delivered after several FortiGate firewalls were backdoored with FortiManager scripts, according to a Mandiant report. UNC3886 then distributed the VirtualPita and VirtualPie backdoors to maintain persistence on impacted hypervisors. "We believe the targeting of these devices will continue to be the go to technique for espionage groups attempting to access hard targets. This is due to their being accessible from the internet allowing actors to control the timing of the intrusion, and in the case of VPN devices and routers the large amount of regular inbound connections makes blending in easier," said Mandiant Cyber Espionage Analysis Head Ben Read.