A cyber espionage campaign that targeted Fortinet’s FortiGate devices may have been more widespread than previously thought.
In February, the Dutch cyber security agency NCSC and intelligence agencies revealed that a small network at the country’s Ministry of Defence had been hacked in 2023.
Although the impact of the attack was limited by network segmentation, investigators discovered previously unknown malware in the form of a remote access trojan (RAT) designed specifically for FortiGate appliances. Initial access was gained by exploiting the FortiGate vulnerability tagged as CVE-2022-42475
The Dutch intelligence services called the malware ‘Coathanger’ because of a string of text present in the code used to encrypt the configuration on disk which read: ‘She took his coat and hung it up’.
The malware is stealthy – and hard to get rid of, researchers warned.
“Notably, the Coathanger implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades,” the agencies said.
Dutch authorities said the attack was likely conducted by a group backed by the Chinese government.
Since then, the Dutch Military Intelligence and Security Service (MVID) has investigated further and said that the Chinese cyber espionage campaign appears to be much more extensive than previously known.
“This research revealed that by exploiting a vulnerability affecting FortiGate devices, the state actor gained access to at least 20,000 FortiGate devices globally within a few months in both 2022 and 2023,” the Dutch NCSC said.
“Further investigation indicates that the actor was aware of the exploited vulnerability CVE-022-42475 at least two months prior to the disclosure of the vulnerability. During this zero-day period alone, the actor infected as many as 14.000 devices. The targets included dozens of Western governments and diplomatic institutions as well as numerous companies operating in the defense industry.”
A patch was issued for the FortiGate flaw
Fortinet fixed the vulnerability in December 2022, describing it as a ‘heap-based buffer overflow vulnerability’. ITPro has approached Fortinet in light of the new information.
After gaining access to a device, the attackers would install malware at a later stage if a target was considered to be relevant. The Dutch authorities did not know how many of these devices were actually subjected to the subsequent operations by the actor.
“However, The Netherlands intelligence and security services and the NCSC deem it probable that the hacker was potentially able to expand access and carry out additional actions, such as data theft, potentially affecting hundreds of victims worldwide,” they said, warning that the attackers might still have access to the systems of a significant number of victims.
The NCSC said the attack is part of a trend towards attacks on edge devices such as firewalls, VPN servers, routers and email servers.
“Due to the security challenges associated with these devices, they have become prime targets for malicious actors. Positioned at the periphery of the IT network, edge devices often have direct connections to the internet,” they said.
The agencies also warned that the initial compromise of an IT network is difficult to prevent if an actor is exploiting a zero-day vulnerability.
“It is important for organizations to, therefore, adopt the ‘assume breach’ principle, which acknowledges that a successful digital attack has already occurred or is imminent.”
The NCSC said organizations should make a list of the edge devices within their organization and determine how accessible they are over the internet, and how they are managed.
It added that once organizations have identified all their edge devices “and the corresponding attack surface” the next step is to understand which features are enabled by default and whether high-risk features be disabled.
Active monitoring and detection are important security measures to help spot when edge devices have been exploited, and researchers said that organizations need to have specific patch management for edge devices.
Finally, the agencies said that organizations should aim to limit the impact of edge device exploitation, for example by checking whether you rely on a security measure that would prove to be a ‘single point of failure’ if an edge device were to be compromised.
“Are the surrounding network infrastructure and network components also set up along defense-in-depth principles? For example, what is the level of trust and rights between these components and edge devices? How are the components of the network segmented? - Does your organization use its own hardening for edge devices, or do you need to consult with the supplier?”
The agency said these should be among the questions companies should be asking themselves.
