China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally

Summary:
The Dutch Military Intelligence and Security Service (MIVD) and NCSC advised yesterday that a Chinese nation-state cyber-espionage attack, first documented in February 2024, is compromising many more devices than previously observed. The adversary achieved initial access to 20,000 Fortinet FortiGate systems across multiple countries via a known critical RCE flaw CVE-2022-42475. CVE-2022-42475 is a heap-based buffer overflow vulnerability (MITRE) in FortiOS SSL-VPN. The adversary utilized this initial access to deploy the COATHANGER RAT backdoor from a C2 server on vulnerable Fortigate network security appliances for a few months in 2022. This backdoor acts as a launchpad to deploy more malware and a method to gain persistence. According to the NCSC, utilizing this backdoor for persistence was a decision made long after achieving initial access to Fortinet FortiGate systems. However, currently, there is no clear indication of how many compromised devices of the campaign had COATHANGER deployed afterward.

Security Officer Comments:
This backdoor persistence method utilized by Chinese nation-state actors for cyber espionage highlights the security challenges that organizations face when using publicly accessible edge devices like firewalls or VPN servers. This campaign is likely to expand the threat actor’s network of compromised devices to then deliver additional malware attacks and potentially steal sensitive data. The NCSC states that this COATHANGER malware is difficult to identify and remove because it can survive system reboots and firmware upgrades. It operates outside of traditional detection measures and is specifically designed for FortiGate devices. CVE-2022-42475 was also exploited as a zero-day to target government organizations and related entities, as disclosed by Fortinet in January 2023.

Suggested Corrections:
Edge Device Suggested Corrections Measures released by NCSC:

Edge devices are located at the edge of the IT network and regularly have a direct connection to the internet. In addition, these devices are often not supported by Endpoint Detection and Response (EDR) solutions. Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the 'assume breach' principle. This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact.

  • Regularly perform a risk analysis on edge devices. For example, when functionalities are added.
  • Limit internet access from edge devices by disabling unused ports and functionalities. In addition, do not make the management interface accessible from the Internet.
  • Regularly perform analyzes on the logging to detect anomalous activity. This includes login attempts at strange times, unknown (foreign) IP addresses or unauthorized configuration changes. Forward the logging to a secure, separate environment so that its integrity is guaranteed.
  • Install the latest security updates as soon as possible when they are made available by the vendor. In addition, take advantage of possible additional protection measures made available by suppliers.
  • Replace hardware and software that is no longer supported by the supplier.

Link(s):
https://thehackernews.com/2024/06/china-backed-hackers-exploit-fortinet.html

https://www.ncsc.nl/actueel/nieuws/...erspionagecampagne-via-kwetsbare-edge-devices

https://www.ncsc.nl/actueel/nieuws/...nadrukt-aanhoudende-interesse-in-edge-devices