Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack

Mar 18, 2023Ravie LakshmananNetwork Security / Cyber Espionage

The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.

Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.

The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker UNC3886, a China-nexus threat actor.

“UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns,” Mandiant researchers said in a technical analysis.

“UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies.”

It’s worth noting that the adversary was previously tied to another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE.

The latest disclosure from Mandiant comes as Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor by leveraging a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.

The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that could lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023.

According to Mandiant, the attacks mounted by UNC3886 targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, was made possible owing to the fact that the FortiManager device was exposed to the internet.

THINCRUST is a Python backdoor capable of executing arbitrary commands as well as reading and writing from and to files on disk.

The persistence afforded by THINCRUST is subsequently leveraged to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.

This includes a newly added payload called “/bin/fgfm” (referred to as CASTLETAP) that beacons out to an actor-controlled server so as to accept incoming instructions that allow it to run commands, fetch payloads, and exfiltrate data from the compromised host.

“Once CASTLETAP was deployed to the FortiGate firewalls, the threat actor connected to ESXi and vCenter machines,” the researchers explained. “The threat actor deployed VIRTUALPITA and VIRTUALPIE to establish persistence, allowing for continued access to the hypervisors and the guest machines.”

Alternatively, on FortiManager devices that implement internet access restrictions, the threat actor is said to have pivoted from a FortiGate firewall compromised with CASTLETAP to drop a reverse shell backdoor named REPTILE (“/bin/klogd”) on the network management system to regain access.


Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.


Also employed by UNC3886 at this stage is a utility dubbed TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place.

This is far from the first time Chinese adversarial collectives have targeted networking equipment to distribute bespoke malware, with recent attacks taking advantage of other vulnerabilities in Fortinet and SonicWall devices.

The revelation also comes as threat actors are developing and deploying exploits faster than ever before, with as many as 28 vulnerabilities exploited within seven days of public disclosure — a 12% rise over 2021 and an 87% rise over 2020, according to Rapid7.

This is also significant, not least because China-aligned hacking crews have become “particularly proficient” at exploiting zero-day vulnerabilities and deploying custom malware to steal user credentials and maintain long-term access to target networks.

“The activity […] is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions,” Mandiant said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

What Is Mirai Malware and Who Is at Risk? – Originally released to disable Minecraft servers, this botnet has since caused chaos through DDoS attacks. Here’s what you need to know.

Tweeted by @KhalifaBelghuz1

Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud.

Conor Brian Fitzpatrick (aka Pompompurin, aka Pom), a 2021 graduate of Peekskill High School, has been arrested for running the notorious dark web data breach site BreachForums, according to FBI Special Agent John Longmire.

It is worth noting that Breach Forums surfaced as an alternative to the popular and now-seized Raidforums in 2022.

Owner of Breach Forums Pompompurin Arrested in New York
Pompompurin’s profile on Breach Forums (Screen credit:

Fitzpatrick was arrested by a team of investigators at his home in Peekskill, New York, on Wednesday and charged with a single count of conspiracy to commit access device fraud. His arrest has also been confirmed by administrators of the forum, can confirm.

BreachForums, which hosted the stolen databases of almost 1,000 companies and websites, was a well-known site among cybercriminals who sold personal information, including names, emails, and passwords.

This is the same forum where sensitive data, such as the US No Fly List, FBI’s InfraGard, DC Health Link with Members of Congress data, and more, were recently leaked.

Fitzpatrick, who operated under the name “pompompurin” on the site, admitted to being the owner and operator of the site, according to Longmire’s statement.

Cybersecurity investigators had been closely monitoring Fitzpatrick for over a year before his arrest, considering him a significant player in the cybercrime ecosystem. In November 2021, Fitzpatrick claimed responsibility for sending out fake emails from a “” email address.

Breach Forums to Stay Online

At the time of publishing this article, the Breach Forums were still accessible and the dataset of 888 companies and organizations was available for download. This is because one of the forum administrators, who goes by the alias Baphomet, has claimed responsibility for taking over the forum to keep it running and protect it from being seized by authorities.

Owner of Breach Forums Pompompurin in New York
This is what Baphomet had to say (Screen credit:

Nevertheless, according to Bloomberg, the charges filed against Fitzpatrick in federal court in Alexandria, Virginia, have not been made public. Fitzpatrick was presented in federal court in White Plains, New York, and released on a $300,000 unsecured bond, signed by his parents.

He is required to avoid any contact with codefendants, coconspirators, and witnesses in the case and is due to appear in court in Alexandria on March 24.

  1. Hive Ransomware Gang Disrupted; Domain Seized
  2. NetWire Malware Site, Server Seized, Admin Arrested
  3. DoubleVPN’s server used by ransomware gangs seized
  4. Dark Web’s Finnish language market Sipulimarket seized
  5. Cybercrime Crackdown: Encrypted Messenger Exclu Seized