Revisiting UNC3886 Tactics to Defend Against Present Risk

Key Takeaways

UNC3886 is an APT group that has historically targeted critical infrastructure, including telecommunications, government, technology, and defense, with a recent attack against Singapore.

The group is known for rapidly exploiting zero-day and high-impact vulnerabilities in network and virtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.

UNC3886 deploys custom toolsets including TinyShell (a covert remote access tool) and Reptile (a stealthy Linux rootkit), and Medusa, leveraging layered persistence and advanced defense evasion methods such as rootkit deployment, living-off-the-land tactics, and replacement/backdooring of core system binaries.

Trend Vision One™ detects and blocks the indicators of compromise (IOCs) highlighted in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on UNC3886.

To read the complete article see: Revisiting UNC3886 Tactics to Defend Against Present Risk