UNC3886 Hackers Exploiting 0-Days in VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS
Singapore’s critical infrastructure is under siege from UNC3886, a sophisticated China-linked advanced persistent threat (APT) group.
As of July 2025, the group has been actively targeting essential services like energy, water, telecommunications, and government systems, prompting urgent warnings from officials.
This isn’t just another hack, it’s a calculated assault exploiting zero-day vulnerabilities in widely used network and virtualization technologies, raising alarms across global sectors.
UNC3886, first reported in 2022 but active since at least late 2021, focuses on high-value targets in defense, technology, telecommunications, and utilities across the US, Europe, Asia, and now prominently Singapore, reads the Trend Micro report.
Singapore’s Coordinating Minister for National Security, K. Shanmugam, revealed on July 18, 2025, that the group poses a “severe risk” to national security, potentially causing widespread disruptions if successful. The Cyber Security Agency of Singapore (CSA) is investigating, emphasizing the need for operational secrecy while monitoring all critical sectors.
UNC3886 Exploiting 0-Days
What makes UNC3886 so dangerous? Their playbook revolves around rapid exploitation of zero-days in devices like VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.
They deploy custom malware for stealthy persistence, blending living-off-the-land tactics with advanced rootkits to evade detection. Key tools include:
- TinyShell: A lightweight Python-based backdoor for remote command execution over encrypted HTTP/HTTPS, ideal for post-exploitation agility.
- Reptile: A kernel-level Linux rootkit that hides files, processes, and network activity, featuring port knocking for secret backdoor access and root-privileged command execution.
- Medusa: Another Linux rootkit focused on credential logging, process hiding, and anti-debugging, often paired with Reptile to capture authentications and maintain covert control.
These tools enable layered evasion: Reptile might install first for core stealth, followed by Medusa for credential harvesting. UNC3886 also uses MopSled for modular backdoors, RifleSpine for Google Drive-based C2, and CastleTap for passive ICMP-triggered access on FortiGate firewalls, reads the report.
Their tactics span MITRE ATT&CK categories, from initial access via public-facing exploits (T1190) to persistence with valid accounts (T1078) and defense evasion through rootkits (T1014). Notable CVEs include:
| CVE ID | Affected System | Vulnerability Description | Impact |
|---|---|---|---|
| CVE-2023-34048 | VMware vCenter Server | Out-of-bounds write vulnerability in DCERPC protocol implementation, potentially leading to remote code execution. | Enables unauthenticated remote command execution on vulnerable vCenter servers. |
| CVE-2022-41328 | Fortinet FortiOS | Path traversal vulnerability allowing privileged attackers to read/write files via crafted CLI commands. | Exploited to download and execute backdoors on FortiGate devices. |
| CVE-2022-22948 | VMware vCenter Server | Information disclosure due to improper file permissions, granting access to sensitive data. | Used to obtain encrypted credentials from vCenter’s postgresDB for further access. |
| CVE-2023-20867 | VMware Tools | Failure to authenticate host-to-guest operations, impacting guest VM confidentiality and integrity. | Allows unauthenticated Guest Operations from ESXi host to guest virtual machines. |
| CVE-2022-42475 | Fortinet (unspecified) | Vulnerability allowing remote unauthenticated attackers to execute arbitrary code or commands via crafted requests. | Enables remote code execution on affected systems. |
| CVE-2025-21590 | Juniper Networks Junos OS | Insufficient system separation in kernel, allowing authenticated local users to insert malicious code. | Can lead to full system compromise if shell-level access is gained; limited to Junos OS platforms. |
In Juniper attacks, UNC3886 targeted end-of-life routers, injecting malware into legitimate processes to disable logging and deploy rootkits like Pithook and Ghosttown. This aligns with their strategy of hitting overlooked edge devices lacking robust monitoring.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
Source link
