Several attacks against government organizations involving the exploitation of a Fortinet FortiOS vulnerability, tracked as CVE-2022-41328, since the middle of last year have been attributed to China-linked attackers UNC3886, reports BleepingComputer.
After compromising vulnerable Fortinet devices, UNC3886 proceeded to deploy the Python-based Thincrust backdoor to establish system persistence, while the Castletap backdoor was delivered after several FortiGate firewalls were backdoored with FortiManager scripts, according to a Mandiant report.
UNC3886 then distributed the VirtualPita and VirtualPie backdoors to maintain persistence on impacted hypervisors.
"We believe the targeting of these devices will continue to be the go to technique for espionage groups attempting to access hard targets. This is due to their being accessible from the internet allowing actors to control the timing of the intrusion, and in the case of VPN devices and routers the large amount of regular inbound connections makes blending in easier," said Mandiant Cyber Espionage Analysis Head Ben Read.
Several U.S. defense and government organizations have been targeted by state-backed Chinese hacking group Bronze Silhouette, also known as Volt Typhoon, for military intelligence over a period of at least two years, according to The Record, a news site by cybersecurity firm Recorded Future.
Russian, North Korean, and Iranian advanced persistent threat operations have been launching more attacks aimed at compromising small- and medium-sized businesses, as well as their regional managed service providers, reports SecurityWeek.