In 2021, the emergence of UNC3886, a suspected cyber espionage actor with ties to China, shook the cybersecurity world as it was discovered to be targeting critical organizations on a large scale. UNC3886 leveraged multiple vulnerabilities in FortiOS and VMware to implant backdoors on compromised machines, posing a significant threat to the integrity of sensitive data and network security.
Following the discovery of these vulnerabilities, both Fortinet and VMware took swift action by releasing patches to address the security flaws. However, a deeper dive into the modus operandi of UNC3886 highlighted the sophisticated and evasive nature of the threat actor. UNC3886 demonstrated a high level of organization by deploying multiple layers of persistence mechanisms on compromised machines, ensuring continued access and control over the affected environments.
One of the key tactics employed by UNC3886 was maintaining access to network devices, hypervisors, and virtual machines to create alternative channels for future incursions. The threat actor also utilized publicly available rootkits for long-term persistence and deployed malware to establish connections with Command and Control (C&C) servers, enabling remote control and data exfiltration.
The reports shared with Cyber Security News uncovered UNC3886’s exploitation of various vulnerabilities, such as CVE-2023-34048 in VMware vCenter, which allowed for unauthenticated remote command execution. Additionally, UNC3886 exploited several other vulnerabilities, including path traversal, information disclosure, authentication bypass, and heap-based buffer overflow, to further infiltrate and compromise targeted systems.
UNC3886 leveraged several publicly available rootkits, including REPTILE, MEDUSA, and SEAELF, which provided backdoor access to compromised systems by hiding files, processes, and network activities. The threat actor made customized modifications to these rootkits, enhancing their capabilities and evading detection by security measures.
In addition to rootkits, UNC3886 utilized malware like MOPSLED and RIFLESPINE to maintain control over compromised systems and execute malicious activities. MOPSLED, a modular backdoor, communicated with C&C servers over HTTP or custom binary protocols, while RIFLESPINE used Google Drive as a communication channel and encrypted data transmitted between compromised endpoints and threat actors.
Indicators of Compromise (IoC) revealed a wide array of filenames and MD5 hashes associated with UNC3886’s malicious activities, ranging from backdoors, launchers, utilities, and sniffers to controllers and droppers. Network-based IoCs pinpointed IP addresses and Autonomous System Numbers used by UNC3886 to establish connections with compromised systems and C&C servers.
The discovery of UNC3886’s sophisticated cyber espionage operations underscored the need for enhanced cybersecurity measures to defend against advanced threats. Organizations were urged to prioritize patching vulnerabilities, conducting regular security audits, implementing network monitoring tools, and enhancing threat intelligence sharing to mitigate the risk posed by threat actors like UNC3886.