NCSC Issues Alert on ‘UMBRELLA STAND’ Malware Targeting Fortinet FortiGate Firewalls
The National Cyber Security Centre (NCSC) has sounded the alarm over a newly identified malware dubbed “UMBRELLA STAND,” specifically targeting internet-facing FortiGate 100D series firewalls manufactured by Fortinet.
This medium-sophistication malware, believed to be deployed through security vulnerabilities, is designed to establish long-term access to compromised networks, posing a significant threat to organizations relying on these embedded devices for network security.
The report highlights the malware’s intricate design and operational security measures, drawing parallels with the previously documented COATHANGER malware, while noting enhanced obfuscation techniques like AES-encrypted strings and deceptive filenames to evade detection.
New Threat Exploits Vulnerabilities in Embedded Devices
UMBRELLA STAND exhibits a range of advanced capabilities, including remote shell execution, configurable beacon frequencies, and AES-encrypted communications with its command-and-control (C2) server.
It beacons using a fake TLS header on port 443, mimicking legitimate traffic without performing a proper handshake a clear red flag for network analysts monitoring for suspicious activity.
The hardcoded C2 IP address, 89.44.194.32, serves as the default communication endpoint, though it can be reconfigured via commands.
The malware’s arsenal includes components to hook device reboot functions, ensuring persistence through mechanisms like ldpreload and modifications to the FortiOS reboot process.
Additionally, it employs process injection and impersonation tactics, renaming processes to blend into typical Linux system listings, such as overwriting executable names with “/bin/httpsd,” making it harder for administrators to spot unauthorized activity.
Sophisticated Malware Utilizes Fake TLS
The NCSC report details how UMBRELLA STAND is often deployed alongside publicly available tools like BusyBox, tcpdump, nbtscan, and openLDAP, enhancing its ability to execute shell commands, capture network traffic, and perform reconnaissance within compromised environments.
Hidden directories such as “/data2/.ztls/” are utilized to conceal its presence, further exploiting FortiOS’s built-in protections to hide malicious directories from device admins.
The malware also features dual shell command implementations, allowing attackers to run commands directly or manage asynchronous data collection, with built-in safety mechanisms like a 900-second timeout to prevent long-running tasks from drawing attention.
Despite not fully recovering all components or the complete persistence mechanism, the report underscores potential links to additional malware like SHOE RACK, suggesting a broader ecosystem of threats targeting Fortinet devices.
For organizations using FortiGate firewalls, the NCSC provides critical indicators of compromise (IOCs) to aid in detection and mitigation. These include specific file paths and the aforementioned C2 IP address.
The report also includes YARA rules targeting encrypted strings and injection mechanisms, ensuring defenders can identify UMBRELLA STAND even when obfuscation is present.
As this malware demonstrates a clear focus on embedded device environments, the NCSC urges immediate vigilance, emphasizing the need for robust monitoring and patching to counter such sophisticated threats.
Indicators of Compromise (IOCs)
| Type | Description | Values |
|---|---|---|
| IPv4 | C2 Infrastructure | 89.44.194.32 |
| Path | Hidden Directory for Actor Tooling | /data2/.ztls/ |
| Path | Paths Used by Actors | /tmp/%d.sv, /data2/tmp/%s.ini |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
