NCSC Warns of ‘UMBRELLA STAND’ Malware Attacking Fortinet FortiGate Firewalls

The UK’s National Cyber Security Centre (NCSC) has issued a critical warning about a sophisticated malware campaign dubbed “UMBRELLA STAND” that specifically targets internet-facing Fortinet FortiGate 100D series firewalls.

This newly identified threat represents a significant escalation in attacks against network infrastructure devices, with the malware designed to establish long-term persistent access to compromised networks through exploitation of security vulnerabilities in the target devices.

The malware operates with considerable technical sophistication, employing fake TLS communications on port 443 to beacon to its command and control servers while maintaining AES-encrypted channels for data transmission.

Unlike legitimate TLS sessions that begin with proper handshakes, UMBRELLA STAND bypasses this protocol entirely, sending encrypted application data directly to its controllers using hardcoded IP addresses such as 89.44.194.32.

This approach allows attackers to blend malicious traffic with normal HTTPS communications, making detection significantly more challenging for network administrators.

NCSC analysts identified that UMBRELLA STAND has been deployed alongside a comprehensive toolkit of publicly available utilities, including BusyBox version 1.3.11, nbtscan for NetBIOS discovery, tcpdump for network traffic capture, and components of openLDAP for directory access protocols.

The malware’s modular architecture consists of multiple interconnected components, with the primary networking binary “blghtd” serving as the core communication module while “jvnlpe” functions as a watchdog process to ensure persistent operation.

The threat actors have demonstrated operational security awareness by implementing string encryption techniques and using generic filenames that could plausibly exist on Linux systems, such as renaming processes to “/bin/httpsd” to avoid detection.

The impact of successful UMBRELLA STAND infections extends far beyond simple network compromise, as the malware provides attackers with comprehensive remote shell execution capabilities and configurable beacon frequencies that can be adjusted based on operational requirements.

The threat can execute shell commands through both ash shell and BusyBox environments, with built-in safety mechanisms that automatically terminate long-running tasks after 900 seconds to prevent detection by system administrators.

Advanced Persistence and Evasion Mechanisms

The most concerning aspect of UMBRELLA STAND lies in its sophisticated persistence mechanisms that ensure continued access even after system reboots.

The malware achieves this through a dual-pronged approach that manipulates both the device’s boot process and its fundamental operating system functions.

The primary persistence method involves hooking the reboot functionality of the Fortinet operating system itself, where UMBRELLA STAND identifies and overwrites the legitimate reboot function with its own initialization code.

This persistence mechanism works in conjunction with an ldpreload technique that loads the malware’s “libguic.so” library into new processes through modification of the “/etc/ld.so.preload” configuration file.

When new processes start, this library is automatically loaded and checks if the process is “usbmux” – if so, it executes the initialization component “cisz,” otherwise it exits silently.

This approach ensures that the malware reinitializes itself whenever specific system processes restart, creating multiple redundant persistence pathways.

The malware further demonstrates advanced evasion capabilities by abusing legitimate Fortinet security features designed to protect the device from unauthorized access.

UMBRELLA STAND modifies the “/bin/sysctl” binary to replace references to the protected directory “/data/etc/.ftgd_trusted/” with its own hidden directory “/data2/.ztls/”.

This manipulation leverages FortiOS’s built-in mechanism that hides certain directories from device administrators, effectively making the malware’s files invisible through normal directory listings while appearing to use legitimate system protection features.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial