close
close

Chinese hackers hacked 20,000 FortiGate devices

Posted on by darion

Coatanger – a piece of malware specifically designed to persist on Fortinet’s FortiGate devices – may still be lurking on too many devices around the world.

FortiGate clothes rack

How Coatanger persists on FortiGate devices

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) reported that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-authentication RCE vulnerability in security (CVE-2022-42475) and used a novel remote access Trojan malware to create a persistent backdoor.

The RAT was named Coatanger and was found to be able to survive reboots and firmware updates. It is also difficult to detect its presence using FortiGate CLI commands and remove it from infected devices.

The security service shared indicators of compromise and various detection methods in the advisory and explained that “the only currently identified method of removing (it) from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring it.”

They also attributed the hack and malware to a Chinese cyber espionage group.

A wide-ranging campaign

On Monday, the Dutch National Cybersecurity Center said the MIVD was continuing to investigate the campaign and found that:

  • The threat actor gained access to at least 20,000 FortiGate systems worldwide over several months in both 2022 and 2023
  • They exploited the FortiOS zero-day vulnerability (CVE-2022-42475) at least two months before Fortinet announced it

“During the so-called ‘zero day’ period, the actor infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of defense companies,” the NCSC said.

The threat actor later installed the Coatanger malware on the affected target’s devices.

“It is unknown how many victims actually have the malware installed. “The Dutch intelligence services and the NCSC consider it likely that a state actor could potentially expand its access to hundreds of victims around the world and carry out additional activities such as data theft,” they said, adding that given the difficult detection and cleanup process, “it is likely that a state actor continues to have access to the systems of a significant number of victims.”

Another concern is that the Coatanger malware could be used in conjunction with any current or future vulnerability on FortiGate devices – both zero-day and N-day.

Advice for organizations

“It is difficult to prevent the initial threat to an IT network if an attacker uses zero-day. Therefore, it is important for organizations to apply the ‘assume infringement’ principle,” the NCSC said.

“This principle states that a successful digital attack has already occurred or will occur soon. On this basis, actions are taken to limit the damage and impact. This includes taking mitigation measures in the areas of segmentation, detection, incident response plans and forensic readiness.

(In the attack against the Dutch Ministry of Defense, the impact of the intrusion was limited thanks to effective network segmentation.)

Finally, the NCSC noted that the problem is not Fortinet devices specifically, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.

“Recent incidents and identified vulnerabilities in various edge devices demonstrate that these products are often not designed according to modern security principles by design,” they said. With almost every organization deploying one or more edge devices, it pays for cybercriminals to look for vulnerabilities that impact them.

As a result, the NCSC has published helpful advice on how organizations should proceed when using edge devices.