The UK’s National Cyber Security Centre has issued a critical warning about a very sophisticated new malware campaign. This recently identified threat, which has been dubbed “UMBRELLA STAND,” specifically targets internet-facing Fortinet firewall devices. The malware is designed to establish long-term persistent access to the compromised networks of its many victims. It operates with considerable technical sophistication, employing fake TLS communications on port 443 to beacon to its servers.
NCSC analysts identified that UMBRELLA STAND has been deployed alongside a very comprehensive toolkit of publicly available utilities.
Its modular architecture consists of multiple interconnected components, with a primary networking binary serving as the core module. The threat actors have demonstrated operational security awareness by implementing a number of different string encryption techniques. They also use generic filenames that could plausibly exist on Linux systems to successfully avoid immediate visual detection.
The significant impact of successful UMBRELLA STAND infections extends far beyond any simple form of network compromise. The malware provides its attackers with comprehensive remote shell execution capabilities that are highly configurable by the attackers. The beacon frequencies can be adjusted at any time based on the current operational requirements of the attackers. The threat can execute its shell commands through both the ash shell and also BusyBox software environments.
It even has built-in safety mechanisms that will automatically terminate its own long-running tasks after 900 seconds.
The most concerning aspect of this malware lies in its sophisticated persistence mechanisms, ensuring continued system access. The malware achieves this through a dual-pronged approach that manipulates the device’s boot process and its functions. The primary persistence method involves hooking the reboot functionality of the Fortinet operating system itself. This works with an ldpreload technique that loads the malware’s library into new processes through configuration file modification. UMBRELLA STAND also abuses legitimate Fortinet security features to effectively make the malware’s files completely invisible.