Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Network Firewalls, Network Access Control
UNC3886 Targeted Edge Devices for Persistence, Mandiant Says
A suspected Chinese hacking group used open-source rootkits to ensure persistence on compromised edge devices such as VMware ESXi servers for espionage campaigns, Google Mandiant said.
See Also: Close the Case on Ransomware
The hacking group, which Mandiant tracks as UNC3886, is likely a Chinese threat group hacking for Beijing. The threat intel company has previously observed UNC3886 compromising firewall and virtualization applications that lack endpoint detection support.
In a Tuesday blog post detailing the group’s activities, Mandiant disclosed the threat group’s prolific use of open-source rootkits to maintain persistence on edge devices as part of its operations in 2022 and 2023.
“Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated,” Mandiant said.
Attackers exploited an unauthenticated remote command execution zero-day on VMware vCenter tracked as CVE-2023-34048. If the threat group failed to gain initial access on the VMware servers, the attackers targeted similar flaws in FortiOS, a flaw in VMware vCenter called postgresDB, or a VMware Tools flaw.
After compromising the edge devices, the group’s pattern has been to deploy open-source Linux rootkit Reptile to target virtual machines hosted on the appliance. It uses four rootkit components to capture secure shell credentials.
These include Reptile.CMD
to hide files, processes and network connections; Reptile.Shell
to listen to specialized packets- a kernel level file to modify the .CMD
file to achieve rootkit functionality; and a loadable kernel file for decrypting the actual module and loading it into the memory.
“Reptile appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” Mandiant said. “Reptile offers both the common backdoor functionality, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking.”
In addition to Repitle, the group used open-source rootkits Medusa and Seaelf to steal credentials for lateral movement capabilities. “Mandiant assessed the use of Medusa to be experimental alternatives of Repitle,” the report says.
Once in the victim’s environment, the group then deployed Mopsled and Riflespine malware variants that used trusted third parties such as GitHub and Google Drive as command-and-control infrastructure. The data infiltrated by the strains included system information that was then sent to the C2 servers.
The group subverted password authentication and integration functions to collect credentials from the victim’s SSH daemon.
Depending on the targeted device, the group further customized its tactics. In the case of ESXi servers, Mandiant says, the group either deployed vpxuser
credentials that are used for managing activities for the host on vCenter or exploited CVE-2023-20867 to intercept and collect credentials within an XOR-encrypted text file.
To ensure that they continued to have prolonged access to the compromised ESXi servers, the threat group deployed a malicious package called “yum-versionlock” to survive package upgrades.
To extract credentials from TACACS+ – a network appliance used for authenticating users – the group deployed a custom malware variant called Lookover to allow threat actors to manipulate user credentials and tamper with accounting logs stored within the software.
Although many of the zero-days exploited by the group has been patched, Mandiant says the group continues to target edge devices using similar tactics (see: State Hackers’ New Frontier: Network Edge Devices).