Fortinet, Ivanti zero-day victims face evolved persistence by the espionage actor

A China-linked cyber espionage group has been employing a mix of techniques to maintain access to systems compromised with popular zero-day exploits, according to Mandiant research.

Tracked as UNC3886 by the Google-owned cybersecurity and threat intelligence company, the group has previously been reported exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware.

“Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time,” the company said in the research. “Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.”

A key strategy of UNC3886 involves creating methods that bypass security software, allowing it to infiltrate government and business networks and conduct prolonged espionage on victims without being detected.

Publicly available rootkits for persistence

After exploiting the zero-day vulnerabilities to gain access to buggy servers, the threat actor obtains total control of the guest virtual machines. Thereon, Mandiant observed, the actor has been using two publicly available rootkits — REPTILE and MEDUSA — on the guest virtual machines to maintain access and evade detection.

Rootkits are malicious software intended to gain unauthorized entry to a computer system while hiding their presence and activities. They usually function at a very low level within the system, often with administrative or “root” privileges, enabling them to intercept and modify standard operating system operations.

“REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” Mandiant added. “REPTILE is an open-source Linux rootkit, implemented as a loadable kernel module (LKM), that provides backdoor access to a system.”

MEDUSA, too, is an open-source rootkit with capabilities of logging user credentials from successful authentications, either locally or remotely, and command executions. “These capabilities are advantageous to UNC3886 as their modus operandi to move laterally using valid credentials,” Mandiant added.

Using a trusted third party as C2

The threat actor was seen using malware, such as MOPSLED and RIFLESPINE, which exploits trusted third-party services including GitHub and Google Drive as command-and-control (C2) channels, while depending on rootkits for maintaining persistence.

MOPSLED is a modular backdoor based on shellcode that can communicate with its command-and-control (C2) server using HTTP or a custom binary protocol over TCP. “Mandiant observed sharing of MOPSLED between other Chinese cyber espionage groups including APT41,” the company added. “Mandiant considered MOPSLED to be an evolution of CROSSWALK, which can act as a network proxy.”

UNC3886 also used RIFLESPINE, a cross-platform backdoor that leverages Google Drive to transfer files and execute commands. “It adopts the CryptoPP library to implement the AES algorithm to encrypt and decrypt the data transmitted between an affected machine and the threat actor,” Mandiant added.

The threat actor, the research noted, extensively relied on acquiring and using valid credentials to move laterally between guest virtual machines operating on the compromised VMware ESXi. The actor used different techniques to collect and abuse valid credentials, including backdoored secure shell (SSH) executables.

Mandiant warned users that virtual machines are becoming more appealing targets for threat actors because of their widespread use in cloud environments and their crucial role in modern IT infrastructure. To protect against the recently identified techniques, users should patch vulnerabilities commonly exploited by UNC3886, including CVE-2022-41328, CVE-2022-22948, CVE-2023-20867, and CVE-2022-42475.