After unearthing a malware campaign targeting ESXi hypervisors two years ago, researchers have now revealed extensive details into their investigation of UNC3886, a suspected China-nexus cyberespionage group targeting strategic global organizations.
In January 2023, Google-owned cybersecurity firm Mandiant identified that UNC3886 had exploited a now-patched FortiOS vulnerability.
In March 2023, further analysis revealed a custom malware ecosystem affecting Fortinet devices with compromised VMware technologies facilitating access to guest virtual machines.
UNC3886 demonstrated sophisticated and cautious approaches by employing multiple layers of persistence across network devices, hypervisors and virtual machines to maintain long-term access, Mandiant said in its detailed analysis. The threat group’s strategies include:
Mandiant’s earlier findings detailed UNC3886’s exploitation of CVE-2023-34048, an out-of-bounds write vulnerability in the implementation of the DCERPC protocol in VMware’s vCenter Server. This critical-rated flaw allowed unauthenticated malicious actor remote command execution on vCenter servers.
Additional zero-day vulnerabilities exploited included:
The deeper investigation into UNC3886’s operations also revealed their expansive malware arsenal that includes customized open-source variants.
REPTILE, an open-source Linux rootkit, was heavily utilized by UNC3886 for its backdoor and stealth functionalities, enabling the threat actor to maintain undetected access to compromised systems. Key components include:
UNC3886 modified REPTILE for persistence and stealth using unique keywords and customized scripts to evade detection.
MEDUSA employs dynamic linker hijacking to log user credentials and command executions, which complements UNC3886’s strategy of using valid credentials for lateral movement. Deployment on MEDUSA involved a customized installer called “SEAELF” and modified configuration files.
MOPSLED is a modular backdoor that communicates over HTTP or a custom binary protocol, retrieving plugins from its C2 server. It was shared among Chinese cyberespionage groups and used by UNC3886 primarily on vCenter servers.
RIFLESPINE is a backdoor that uses Google Drive for command and control communication and executes commands from encrypted files. It relied on “systemd” for persistence but was less favored due to its detectable nature.
UNC3886 has employed internal reconnaissance and lateral movement techniques using custom tools like LOOKOVER to capture TACACS+ credentials. Backdoored TACACS+ binaries further facilitated unauthorized access and credential logging.
UNC3886 also used VMCI backdoors for communication between guest and host systems, enhancing their control over compromised environments. Notable VMCI backdoors included:
Mandiant observed UNC3886 using valid credentials for lateral movement between guest VMs on compromised VMware ESXi. The threat actor deployed backdoored SSH clients and daemons to intercept and collect credentials stored in XOR-encrypted files.
The threat group modified SSH client (/usr/bin/ssh) and daemon (/usr/sbin/sshd) to harvest and store credentials. The SSH client stored credentials in “/var/log/ldapd<unique_keyword>.2.gz,” while the SSH daemon stores them in “/var/log/ldapd<unique_keyword>.1.gz.”
To persist the malicious SSH components, the threat actor used yum-versionlock to prevent OpenSSH package upgrades.
UNC3886 also used the MEDUSA rootkit to deploy a custom SSH server. They employed executables (/usr/sbin/libvird and /usr/bin/NetworkManage) to hijack SSH connections and redirect them to a Unix socket for credential collection. SELinux contexts ensured socket accessibility.
Additional tools (sentry and sshdng-venter-7.0) were used on another endpoint for similar injection and redirection operations.
Mandiant has published IOCs to aid in detecting UNC3886 activities. These IOCs, along with detection and hardening guidelines, help organizations protect against sophisticated threats posed by UNC3886.
The report noted that cyber risk has become a major financial stability concern as India's financial ecosystem becomes increasingly digital…
Apple said the flaws were addressed through improved memory management, input validation, bounds checking, and stronger security origin tracking.
ARMA said receiving the cryptocurrency marks an important step in the evolution of Ukraine's asset management system.
The domain seizure operation was coordinated with international partners through the International Computer Hacking and Intellectual Property (ICHIP) Network.
The operation forms part of Operation Endgame, described by Europol as the largest international initiative to disrupt ransomware enablers worldwide.
The UAE Cybersecurity Council shares cybersecurity best practices to help users secure digital footprints and reduce cyberattack risks.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More