Network appliances may lack tools to detect runtime modifications and require manufacturer assistance to collect forensic images. Mandiant attributed the espionage activity to UNC3886, a group with a China-nexus suspected of being associated with a VMware ESXi hypervisor malware framework disclosed in September 2022.įinally, technologies that lack EDR solutions creates a challenge for investigators. Fortinet helped Mandiant obtain a forensic image of a failing device, leading to the discovery of the CASTLETAP backdoor that used ICMP port knocking. This was a result of the operating systems being tampered with by the attackers. FortiGate devices with Federal Information Processing Standards (FIPS) compliance mode enabled also failed to boot after being rebooted. Mandiant discovered that FortiGate and FortiManager devices were likely compromised as a result of connections to VIRTUALPITA from Fortinet management IP addresses. This enabled persistent backdoors with Super Administrator privileges. Circumventing firewall rules active on FortiManager devices with a passive traffic redirection utility.Establishing persistence access on FortiManager and FortiAnalyzer devices through a custom API endpoint and disabling OpenSSL 1.1.0 digital signature verification by corrupting boot files.This provided persistent access to Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.
0 Comments
Leave a Reply. |