New Malware Threat ‘UMBRELLA STAND’ Targets Fortinet FortiGate Firewalls, NCSC Issues Warning

In a significant cybersecurity alert, the UK’s National Cyber Security Centre (NCSC) has released a detailed report warning of a newly identified malware threat dubbed “UMBRELLA STAND.”

The malware is actively targeting internet-facing Fortinet FortiGate 100D series firewalls, using sophisticated techniques to breach, persist, and exfiltrate sensitive data from vulnerable environments.

Sophisticated Malware Capabilities Exploit Critical Network Infrastructure

UMBRELLA STAND is a complex, multi-component malware designed with operational security in mind.

According to the NCSC, the malware leverages a combination of proprietary binaries and publicly available utilities, including BusyBox, tcpdump, nbtscan, and openLDAP, to maximize its impact within compromised networks.

Key technical features of UMBRELLA STAND include:

• Command and Control (C2) Obfuscation: The malware beacons to its C2 server using fake TLS traffic on port 443, mimicking legitimate encrypted communications but skipping the usual TLS handshake, potentially evading basic network detection.
• Remote Execution and Data Exfiltration: UMBRELLA STAND can execute arbitrary shell commands on infected devices, read files in chunks (up to 6000 bytes at a time), and orchestrate the collection and exfiltration of data using highly configurable routines.
• Custom Encryption: C2 communications are AES-encrypted with a configurable key and a hardcoded initialization vector (IV), both of which can be altered on a per-server basis, making analysis and detection more challenging.
• Persistence Mechanisms: The threat actor employs tactics such as reboot hooking—overwriting the device’s reboot function to launch their loader binary—and dynamic linker hijacking (via ldpreload) to ensure survivability across device restarts.
• Defense Evasion: UMBRELLA STAND uses hidden directories (e.g., /data2/.ztls/), generic filenames, and process and file name spoofing to blend in with legitimate files and processes. It also employs AES-encrypted stack strings and patches system binaries to hide its presence and activities.

Indicators of compromise (IoCs) include beaconing to the hardcoded C2 IP 89.44.194.32, the presence of suspicious binaries in hidden directories, and the use of non-standard encryption techniques.

YARA Rules and Detection Guidance

The NCSC has provided detailed YARA signatures to aid in detection, including rules targeting encrypted stack strings, hidden directories, and specific binaries.

The agency notes that while UMBRELLA STAND displays medium sophistication, its use of obfuscation and blending techniques makes it a noteworthy threat to network edge devices.

Key takeaways for defenders:

• Monitor for unusual activity on Fortinet devices, particularly FortiGate 100D series firewalls.
• Alert on unencrypted TLS handshakes or anomalous network traffic from unfamiliar IP addresses.
• Scrutinize process listings for mismatches between process names and running executables.
• Implement the provided YARA rules and review logs for signs of file modifications or hidden directory creation.

Broader Implications

The umbrella stand is not an isolated threat. The NCSC draws parallels to previous campaigns, such as COATHANGER, highlighting the continuity in tactics and operational security among threat actors targeting critical infrastructure.

While the malware is currently focused on Fortinet devices, its modular design and use of open-source tools mean it could be adapted for other embedded devices.

The NCSC urges organizations to patch vulnerable systems, monitor for IoCs, and remain vigilant against this evolving threat landscape.

As cyber threats continue to grow in sophistication, timely detection and response remain paramount for protecting critical network assets.