In the year 2021, a cyber espionage actor known as UNC3886, suspected to be linked to China, was discovered targeting strategic organizations by exploiting vulnerabilities in FortiOS and VMware to install backdoors on compromised machines. This threat actor demonstrated a sophisticated and evasive nature by deploying multiple layers of organized persistence to maintain access to network devices, hypervisors, and virtual machines in order to establish alternative channels for access.
In response to these attacks, Fortinet and VMware released patches to address the vulnerabilities exploited by UNC3886. However, further investigation revealed that the threat actor utilized publicly available rootkits for long-term persistence, such as REPTILE, MEDUSA, and SEAELF. These rootkits enabled UNC3886 to hide files, processes, and network connections, as well as listen for specific packets to activate their access to compromised systems.
Furthermore, UNC3886 was found to be exploiting the VMware vCenter vulnerability CVE-2023-34048, allowing remote command execution on vulnerable vCenter machines. In addition to this zero-day exploitation, the threat actor utilized other vulnerabilities, including CVE-2022-41328, CVE-2022-22948, CVE-2023-20867, and CVE-2022-42475, to execute unauthenticated code and commands via specially crafted requests.
In addition to rootkits, UNC3886 employed various malware such as MOPSLED and RIFLESPINE to establish communication channels with compromised machines and the command-and-control server. MOPSLED served as a modular backdoor that retrieved plugins from the server, while RIFLESPINE used Google Drive to transfer files and execute commands, encrypting data using the AES algorithm for communication.
The threat actor’s varied techniques included customized malware that extracted information from TACACS+ authentication in vCenters, indicating a high level of sophistication and intent to maintain long-term access in compromised environments. These actions, along with the deployment of multiple rootkits for persistence, underscored UNC3886’s advanced capabilities and strategic approach to cyber espionage.
In conclusion, the activities of UNC3886 in 2021 highlighted the evolving landscape of cyber threats and the need for organizations to remain vigilant against sophisticated threat actors. By leveraging a combination of vulnerabilities, rootkits, and malware, UNC3886 demonstrated the ability to infiltrate and persist within targeted systems, emphasizing the importance of comprehensive cybersecurity measures to protect against such threats.
Article Source
https://gbhackers.com/unc3886-exploit-VMware-fortinet/amp/
