Cyber Security News reports that the UK's National Cyber Security Centre has issued a high-severity warning about an advanced malware campaign, dubbed UMBRELLA STAND, targeting Fortinet FortiGate 100D firewalls.
Designed to maintain long-term access, the malware exploits device vulnerabilities and camouflages its activities using fake TLS traffic and AES encryption. It bypasses standard TLS handshakes, using hardcoded IP addresses to evade detection while mimicking legitimate HTTPS traffic. NCSC researchers found that the malware operates via a modular framework that includes BusyBox utilities, tcpdump, openLDAP tools, and stealth mechanisms like generic Linux process names. UMBRELLA STAND also implements advanced persistence, rewriting the Fortinet reboot function and leveraging ld.so.preload to reinitiate itself silently on system startups. It even modifies FortiOS binaries to conceal its files in protected directories, effectively hiding from routine admin checks. The campaign represents a significant evolution in infrastructure-focused threats, combining stealth, resilience, and operational control in a package tailored for deeply embedded exploitation.
Designed to maintain long-term access, the malware exploits device vulnerabilities and camouflages its activities using fake TLS traffic and AES encryption. It bypasses standard TLS handshakes, using hardcoded IP addresses to evade detection while mimicking legitimate HTTPS traffic. NCSC researchers found that the malware operates via a modular framework that includes BusyBox utilities, tcpdump, openLDAP tools, and stealth mechanisms like generic Linux process names. UMBRELLA STAND also implements advanced persistence, rewriting the Fortinet reboot function and leveraging ld.so.preload to reinitiate itself silently on system startups. It even modifies FortiOS binaries to conceal its files in protected directories, effectively hiding from routine admin checks. The campaign represents a significant evolution in infrastructure-focused threats, combining stealth, resilience, and operational control in a package tailored for deeply embedded exploitation.
