a umbrella near Forninet machine and behind lock sign

The UK’s National Cyber Security Centre (NCSC) has issued a critical alert about a sophisticated malware campaign called “UMBRELLA STAND,” which specifically targets internet-facing Fortinet FortiGate 100D series firewalls. This threat represents a significant escalation in attacks against network infrastructure, aiming to establish long-term access to compromised networks by exploiting security vulnerabilities.

 

Technical Sophistication
UMBRELLA STAND operates with advanced technical capabilities, using fake TLS communications on port 443 to connect to its command and control servers while maintaining AES-encrypted data channels.

a Umbrella near Forninet machine and behind lock signa Umbrella near Forninet machine and behind lock sign

Unlike legitimate TLS sessions, it bypasses the handshake protocol, sending encrypted data directly to hardcoded IP addresses like 89.44.194.32. This method allows malicious traffic to blend with normal HTTPS communications, complicating detection for network administrators.

The malware is deployed alongside a toolkit of publicly available utilities, including BusyBox, nbtscan, tcpdump, and openLDAP components. Its modular architecture features a primary networking binary, “blghtd,” for communication, and a watchdog process, “jvnlpe,” to ensure persistent operation.

 

Evasion Techniques and Persistence
The threat actors demonstrate strong operational security by using string encryption and generic filenames, such as renaming processes to “/bin/httpsd” to evade detection. 

a umbeala near Forninet machine and behind laptop and bug sign into trianglea umbeala near Forninet machine and behind laptop and bug sign into triangle

UMBRELLA STAND provides attackers with remote shell execution capabilities and configurable beacon frequencies, allowing it to execute commands in both ash shell and BusyBox environments while automatically terminating long-running tasks to avoid detection.

One of the most concerning aspects is its persistence mechanisms, which ensure continued access after reboots. The malware hooks into the Fortinet operating system’s reboot functionality, replacing the legitimate reboot function with its own code. It also uses an ldpreload technique to load its “libguic.so” library into new processes, ensuring reinitialization whenever specific system processes restart.

Additionally, UMBRELLA STAND manipulates legitimate Fortinet security features by modifying the “/bin/sysctl” binary to redirect references to protected directories, effectively hiding its files from administrators while appearing to use legitimate system protections.