A recent report by Mandiant has revealed that a China-linked cyber espionage actor known as UNC3886 has been exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. This threat actor has been using multiple persistence mechanisms to maintain access to compromised environments, including network devices, hypervisors, and virtual machines.
The attacks orchestrated by UNC3886 have targeted companies primarily in North America, Southeast Asia, and Oceania, with additional victims in Europe, Africa, and other parts of Asia. Industries such as government, telecommunications, technology, aerospace and defense, and energy and utilities have been affected.
One of the key tactics used by UNC3886 is the deployment of malware that can bypass security software and remain undetected in government and corporate networks for extended periods. Rootkits such as Reptile and Medusa are used on guest virtual machines, with Medusa able to log user credentials and execute commands, providing the threat actor with valid credentials to move laterally within the network.
Two backdoors called MOPSLED and RIFLESPINE have also been utilized by UNC3886, using trusted services like GitHub and Google Drive as command-and-control channels. These backdoors allow for communication and file transfers between the attacker and compromised systems.
VMware instances have been targeted with a variety of malware families during these attacks, including a Trojan-infected version of a legitimate TACACS daemon, VIRTUALSHINE, VIRTUALPIE, and VIRTUALSPHERE, which provide backdoor access and control over the compromised systems.
Virtual machines have become attractive targets for threat actors due to their widespread use in cloud environments. Compromising a VM not only gives attackers access to the data within the instance but also the permissions associated with it, increasing the risk of compromised identities within organizations.
To protect themselves from potential threats, organizations are advised to follow the security recommendations outlined in advisories from Fortinet and VMware. By staying informed and implementing best practices, companies can reduce the risk of falling victim to cyber espionage activities like those carried out by UNC3886.
For more exclusive content, follow us on social media platforms like Þjórsárden and LinkedIn to stay updated on the latest developments in cybersecurity and threat intelligence.
Article Source
https://thehackernews.com/2024/06/chinese-cyber-espionage-group-exploits.html