close
close

20,000 Fortinet Devices Hacked – Undefended Reboot

Posted on by darion

Chinese hackers compromised more than 20,000 Fortinet devices between 2022 and 2023, compromising “a large number of defense companies.”

They used a previously unseen, specially designed malware for dubbed Fortinet devices HANGER which “withstands reboots and firmware updates.”

That’s what the Dutch cybersecurity agency NCSC says this week – which he said the February warning, published jointly with the country’s Ministry of Defense, underestimated the scale of the campaign.

The NCSC warned on June 10 that difficulties in removing persistent malware in phase two meant the threat group likely still had access to a system containing a “significant” number of victims.

Fortinet “COATHANGER” attacks worse than previously thought

Attackers hacked 14,000 Fortinet devices (firewalls and VPNs) two months before the software and hardware vendor released a patch for a critical vulnerability (CVE-2022-42475) that the attackers used to gain first access. They then continued to attack unpatched devices.

Stage 2 malware (COATHANGER) gave them persistence.

The victims included the Dutch Ministry of Defense. It was determined that only the network intended for unclassified projects was compromised, and thanks to effective network segmentation, attackers were prevented from moving to other systems.

It previously noted that “while this incident began with an exploit of CVE-2022-42475, the COATHANGER malware could be exploited in conjunction with any current or future software vulnerability in FortiGate devices” (which has not been identified as a widely exploited deficiency; e.g. CVE-2024-21762 AND CVE-2024-23113 Or CVE-2023-48788 Or… )

Given the increasing occurrence of zero days and the widespread use of devices such as those targeted in this campaign, the NCSC stated that “it is important that organizations practice the ‘assume breach’ principle.”

The only currently identified method to remove COATHANGER from an infected FortiGate device is to format the device and reinstall and reconfigure it. The Dutch MOD notes that “several methods have been identified for detecting COATHANGER implants.

“These include the YARA rule, JA3 hash, various CLI commands, file checksums, and network traffic heuristics.” There are further IOCs Here.

See also: ‘Trially exploitable’ bug in SolarWinds file server needs fixing quickly