The UK\u2019s National Cyber Security Centre (NCSC) has issued a critical warning about a sophisticated malware campaign dubbed \u201cUMBRELLA STAND\u201d that specifically targets internet-facing Fortinet FortiGate 100D series firewalls.<\/p>\n
This newly identified threat represents a significant escalation in attacks against network infrastructure devices, with the malware designed to establish long-term persistent access to compromised networks through exploitation of security vulnerabilities in the target devices.<\/p>\n
The malware operates with considerable technical sophistication, employing fake TLS communications on port 443 to beacon to its command and control servers while maintaining AES-encrypted channels for data transmission.<\/p>\n
Unlike legitimate TLS sessions that begin with proper handshakes, UMBRELLA STAND bypasses this protocol entirely, sending encrypted application data directly to its controllers using hardcoded IP addresses such as 89.44.194.32.<\/p>\n
This approach allows attackers to blend malicious traffic with normal HTTPS communications, making detection significantly more challenging for network administrators<\/a>.<\/p>\n NCSC analysts identified<\/a> that UMBRELLA STAND has been deployed alongside a comprehensive toolkit of publicly available utilities, including BusyBox version 1.3.11, nbtscan for NetBIOS discovery, tcpdump for network traffic capture, and components of openLDAP for directory access protocols.<\/p>\n The malware\u2019s modular architecture consists of multiple interconnected components, with the primary networking binary \u201cblghtd\u201d serving as the core communication module while \u201cjvnlpe\u201d functions as a watchdog process to ensure persistent operation.<\/p>\n The threat actors have demonstrated operational security awareness by implementing string encryption techniques and using generic filenames that could plausibly exist on Linux systems, such as renaming processes to \u201c\/bin\/httpsd\u201d to avoid detection.<\/p>\n The impact of successful UMBRELLA STAND infections extends far beyond simple network compromise, as the malware<\/a> provides attackers with comprehensive remote shell execution capabilities and configurable beacon frequencies that can be adjusted based on operational requirements.<\/p>\n The threat can execute shell commands through both ash shell and BusyBox environments, with built-in safety mechanisms that automatically terminate long-running tasks after 900 seconds to prevent detection by system administrators.<\/p>\n The most concerning aspect of UMBRELLA STAND lies in its sophisticated persistence mechanisms that ensure continued access even after system reboots.<\/p>\n The malware achieves this through a dual-pronged approach that manipulates both the device\u2019s boot process and its fundamental operating system functions.<\/p>\n The primary persistence method involves hooking the reboot functionality of the Fortinet operating system itself, where UMBRELLA STAND identifies and overwrites the legitimate reboot function with its own initialization code.<\/p>\n This persistence mechanism works in conjunction with an ldpreload technique that loads the malware\u2019s \u201clibguic.so\u201d library into new processes through modification of the \u201c\/etc\/ld.so.preload\u201d configuration file.<\/p>\n When new processes start, this library is automatically loaded and checks if the process is \u201cusbmux\u201d \u2013 if so, it executes the initialization component \u201ccisz,\u201d otherwise it exits silently.<\/p>\n This approach ensures that the malware reinitializes itself whenever specific system processes restart, creating multiple redundant persistence pathways.<\/p>\n The malware further demonstrates advanced evasion capabilities by abusing legitimate Fortinet security features designed to protect the device from unauthorized access.<\/p>\n UMBRELLA STAND modifies the \u201c\/bin\/sysctl\u201d binary to replace references to the protected directory \u201c\/data\/etc\/.ftgd_trusted\/\u201d with its own hidden directory \u201c\/data2\/.ztls\/\u201d.<\/p>\n This manipulation leverages FortiOS\u2019s built-in mechanism that hides certain directories from device administrators, effectively making the malware\u2019s files invisible through normal directory listings while appearing to use legitimate system protection<\/a> features.<\/p>\n The post NCSC Warns of \u2018UMBRELLA STAND\u2019 Malware Attacking Fortinet FortiGate Firewalls<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdvanced Persistence and Evasion Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8QMf2hxtem65LJBTDmPrJrKThOPuULUaegnQkkzwNUpcmd_ZRTbQuIS95-cYsHEH-_I4iMI6Er1USe3i46j-_4YY6wmHbbTCh_Y5kq-Qk1w_woLYX28kzCeLm3DdCJMHxRUnbOz7jvqAM5EwDPPBbnW7O3zB0NdcGVoghNqew1z3uzDLSlGx3An8fZm4\/s16000\/The%2520.ftgd_trusted%2520directory%2520not%2520appearing%2520in%2520a%2520directory%2520listing%2520%28Source%2520-%2520NCSC%29.webp?ssl=1\")
Are you from SOC\/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. -\u00a0Request 14-day free trial<\/a><\/code><\/strong><\/p>\n