The China-nexus cyber espionage group known as UNC3886 has been linked to the exploitation of zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices. The threat actor has employed a sophisticated array of persistence mechanisms to maintain continuous access to compromised environments.
UNC3886’s tactics include leveraging vulnerabilities such as CVE-2022-41328 in Fortinet FortiOS, CVE-2023-34048 and CVE-2022-22948 in VMware vCenter, and CVE-2023-20867 in VMware Tools. These exploits allow the group to deploy backdoors, obtain credentials, and achieve deeper infiltration into targeted systems, cybersecurity firm Mandiant said in its recent report.
For example, in January 2023, the group exploited CVE-2022-42475 in Fortinet’s Secure Sockets Layer (SSL) virtual private network (VPN) to execute arbitrary code.
The persistence mechanisms utilized by UNC3886 involve network devices, hypervisors, and virtual machines, ensuring that even if the primary layer of access is detected and eliminated, alternative channels remain available.
Mandiant observed that once the group gained access to vCenter servers, it obtained control over guest virtual machines on the same ESXi server.
To maintain the control and evade detection, UNC3886 deployed two publicly available rootkits: REPTILE and MEDUSA. REPTILE, an open-source Linux rootkit, provides backdoor access and stealth functionality through port knocking. UNC3886 implemented several modifications in the REPTILE codebase, indicating ongoing development of the tool. MEDUSA, on the other hand, implements dynamic linker hijacking via LD_PRELOAD and is used for logging user credentials and command executions. Mandiant believes that MEDUSA is an experimental alternative to REPTILE and SSH keyloggers.
The threat actor used the MEDUSA installer component, identified as SEAELF, to deploy and execute tools for capturing SSH credentials from compromised endpoints. Additionally, UNC3886 deployed malware like MOPSLED and RIFLESPINE, which use trusted platforms such as GitHub and Google Drive for command-and-control (C2) communication while relying on rootkits for persistence.
Mandiant said that the group relies heavily on valid credentials for lateral movement between guest virtual machines on compromised VMware ESXi servers. A notable discovery was a new variant of a backdoor leveraging the Virtual Machine Communication Interface (VMCI) for guest-to-guest or host-to-guest communications to execute commands.
Earlier this month, UNC3886 was observed exploiting the CVE-2023-20867 VMware Tools authentication bypass bug to deploy VirtualPita and VirtualPie backdoors on guest virtual machines from compromised ESXi hosts where they escalated privileges to root.
