China-backed hackers exploit Fortinet vulnerability and infect 20,000 systems worldwide

June 12, 2024Newsroom

State-sponsored threat actors backed by China gained access to 20,000 Fortinet FortiGate systems worldwide by exploiting a known critical security vulnerability in 2022-2023, indicating that the operation had a broader impact than previously thought.

“The state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet disclosed the vulnerability,” the Dutch National Cybersecurity Center (NCSC) said in a new bulletin. “During the so-called zero period, the actor alone infected 14,000 devices.”

The campaign was addressed to several dozen Western governments, international organizations and a large number of companies from the defense industry. The names of the entities were not disclosed.

The findings are based on an earlier announcement from February 2024, which showed that attackers had breached a computer network used by the Dutch armed forces using CVE-2022-42475 (CVSS score: 9.8), which allows remote code execution.

The breach paved the way for the deployment of a backdoor codenamed COATHANGER from an actor-controlled server designed to provide persistent remote access to compromised devices and act as a launching point for more malware.

The NCSC said the adversary chose to install malware long after initial access was gained in an attempt to maintain control of the devices, although it is unclear how many victims had their devices infected with the implant.

The latest development once again highlights the continuing trend of cyber attacks on edge devices, with the goal of compromising relevant networks.

“Due to the security challenges of edge devices, these devices are popular targets for malicious actors,” the NCSC said. “Edge devices sit at the edge of the IT network and regularly have a direct connection to the Internet. Additionally, these devices are often not supported by Endpoint Detection and Response (EDR) solutions.”