A new deep-dive investigation into the known UNC3886 gives insight into how the China-linked threat actor has exploited zero days in various Fortinet and VMware products, deployed various malware and novel backdoor variants and collected credentials from victim organizations over the years.
UNC3886 was first discovered after Mandiant researchers investigated malware in ESXi hypervisors in 2022. After that, the threat actor was tied to exploitation of (now-patched) zero-day flaws in FortiOS (CVE-2022-42475 and CVE-2022-41328), VMware vCenter (CVE-2023-34048 and CVE-2022-22948) and VMware Tools (CVE-2023-20867). Beyond zero-day exploitation, however, researchers in their investigations of UNC3886 found several post-exploitation tactics showing how “the actor operates in a sophisticated, cautious, and evasive nature.”
“Mandiant has observed that UNC3886 employed several layers of organized persistence for redundancy to maintain access to compromised environments over time,” said Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, Alex Marvi with Mandiant in the analysis this week. “Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated.”
The threat actor’s operations have targeted various industries, including governments, as well as the telecommunications, technology, aerospace and defense, and energy and utility sectors. Targeted entities are primarily in North America, Southeast Asia or the Oceania regions.
In addition to paving the way for initial access, the group’s zero-day exploitation activity has also supported its espionage goals. For example, UNC3886 used a VMware vCenter flaw (CVE-2022-22948) in order to obtain encrypted credentials in postgresDB and gain further access on the system.
After gaining initial access to vCenter servers, the threat actor would access managed ESXi servers and gain control over guest VMs that shared the ESXi server with the vCenter server. The group then used publicly available rootkits on the guest VMs for persistence and detection evasion. These rootkits include Reptile, an open-source Linux rootkit and Medusa, an open-source rootkit that has capabilities for logging user credentials from successful authentications and executing commands.
The threat actor leveraged the Medusa rootkit in order to deploy a custom SSH server that could collect SSH credentials, however “REPTILE appeared to be the rootkit of choice by UNC3886 as it was observed being deployed immediately after gaining access to compromised endpoints,” said researchers. “REPTILE offers both the common backdoor functionality, such as command execution and file transfer capabilities, as well as stealth functionality that enables the threat actor to evasively access and control the infected endpoints via port knocking.”
The group used several other tactics, leveraging backdoor variants (including ones that researchers called VirtualShine, VirtualPie and VirtualSphere) that used the Virtual Machine Communication Interface (VMCI) as a communication protocol, for instance. UNC3886 was also spotted targeting a TACACS+ server with sniffer malware and a backdoor in order to steal credentials. TACACS+ is a version of the TACACS network protocol used for centralized authentication, and it is used by network appliances for security and access control.
“An unauthorized access to a system functioning as an authentication server like a TACACS+ server is an absolute security nightmare,” said researchers. “The threat actor could access or manipulate user credentials and authorization policies stored within its database. Accountability of TACACS+ would also be affected as the threat actor could tamper with the accounting logs stored on the TACACS+ server, covering their tracks and concealing malicious activities.”
Many of UNC3886's campaigns have been documented over the years, including its exploitation of the bug in VMware Tools (CVE-2023-20867) in order to gain unauthenticated remote code execution in 2023, and its attacks against a critical-severity remote code execution flaw in VMware’s centralized management utility, vCenter Server, which occurred since 2021, for almost two years before patches were released.