A Dive into UNC3886 Chinese Espionage Operations
10:00 AM - 10:45 AM

The presentation will focus on describing the attack path visualized in the blog (https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem), with insight provided onto the gaps which were not answered around the network and virtualization ecosystem. This new insights include:

  • How the attackers gained credentials to the service accounts across multiple hypervisors
  • A unreleased CVE which is being worked to be responsibly disclosed in collaboration with the impacted company at the beginning of June which allows an attacker with root (or service account) access to a hypervisor the ability to perform file transfer and command execution (With SYSTEM and root privileges depending on the OS) on any guest machine without any guest credentials or generation of authentication attempts on the guest machines. More details will be provided once the disclosure is public
  • A showcase of how the attacker can utilize the backdoors with sockets listening over a specific address family sockets to bypass a virtualization barrier without being visible to most traditional networking tool
  • Offer New Logging/Detection solutions to gain visibility into the operations