close
close

Latest Post

Manchester United boss Erik ten Hag receives a two-year contract extension – Paper Talk | Football News Area EMT celebrates 50 years of service | News

Chinese state hackers infected 20,000 Fortinet VPNs, says Dutch intelligence agency

Hackers working for the Chinese government gained access to more than 20,000 VPN devices sold by Fortinet, exploiting a critical vulnerability that the company did not disclose for two weeks after fixing the vulnerability, Dutch government officials said.

The vulnerability, dubbed CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. Its severity is 9.8 out of 10. Fortinet, a network security software maker, quietly fixed the vulnerability on November 28, 2022, but did not mention the threat until December 12 of the same year, when the company said it learned of a “case of this vulnerability being exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned that a threat actor was exploiting it to infect the government and government-related organizations with advanced, customized malware.

Enter CoatHanger

Dutch authorities first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and hidden backdoor called CoatHanger on Fortigate devices in the Dutch Ministry of Defense. Once installed, the unprecedented malware, which was specifically designed for the underlying FortiOS operating system, could remain permanently on devices even if they were rebooted or received a firmware update. CoatHanger could also evade conventional detection measures, authorities warned. However, the damage caused by the intrusion was limited because infections remained confined to a segment reserved for unclassified purposes.

On Monday, officials from the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that Chinese state hackers had so far exploited the critical vulnerability to infect more than 20,000 FortiGate VPN devices sold by Fortinet. The targets include dozens of Western government agencies, international organizations and defense companies.

“Since then, the MIVD has conducted further investigations and shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Dutch officials from the National Cyber ​​Security Center wrote. “The NCSC therefore calls for special attention to this campaign and the abuse of vulnerabilities in edge devices.”

According to Monday’s report, the vulnerability was exploited two months before Fortinet first disclosed it, and 14,000 servers were backdoored during that zero-day period. Officials warned that because CoatHanger is so difficult to detect and remove, the Chinese threat group likely still has access to many victims.

Dutch government officials wrote in their report on Monday:

Since its publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. It found that in both 2022 and 2023, the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months via the vulnerability with the identifier CVE-2022-42475. In addition, investigations show that the state actor behind this campaign was aware of this vulnerability in FortiGate systems at least two months before Fortinet disclosed the vulnerability. During this so-called “zero-day” period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations, and a large number of defense industry companies.

The state actor subsequently installed malware on relevant targets. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor still has this access.

It is not known how many victims actually installed malware. Dutch intelligence services and the NCSC believe it is likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections by the actor are difficult to identify and remove. The NCSC and Dutch intelligence services therefore state that the state actor probably still has access to the systems of a significant number of victims.

Given the severity of the vulnerability, Fortinet’s failure to publish the vulnerability in a timely manner is particularly egregious. Releases are critical because they help users prioritize installing patches. When a new version fixes minor bugs, many organizations often wait to install it. If a vulnerability with a severity of 9.8 is fixed, they are much more likely to speed up the update process. Since the vulnerability was already being exploited before Fortinet fixed it, the release likely wouldn’t have prevented all infections, but it stands to reason that it could have prevented some.

Fortinet officials have never explained why they did not disclose the critical vulnerability when it was fixed. They have also refused to disclose the company’s policy on vulnerability disclosure. Company representatives did not immediately respond to an email seeking comment on this post.

Leave a Reply

Your email address will not be published. Required fields are marked *