top of page

UNC3886: Chinese Hacking Group Linked to Zero-Day FortiOS Exploit

A recent zero-day exploit has been linked to a Chinese hacking group. The exploit, which has since been patched, was a medium-severity security flaw in the Fortinet FortiOS operating system. The Google-owned threat intelligence and incident response firm, Mandiant, is tracking the malicious operation under its uncategorized moniker UNC3886, describing it as a China-nexus threat actor. This is not the first time that this particular adversary has been tied to an intrusion set. Previously, they were linked to a campaign targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign. This campaign resulted in the dropping of backdoors such as VIRTUALPITA and VIRTUALPIE. The latest disclosure from Mandiant comes as Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor. This actor leveraged a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption. Fortinet has since patched the security flaw and is urging all users to update their systems as soon as possible. For those who have been affected, Fortinet is working on a solution and will release more information as it becomes available.


bottom of page