A Chinese state-sponsored cyberespionage campaign targeted a critical zero-day vulnerability in Fortinet’s FortiOS and FortiProxy software, compromising over 20,000 FortiGate security appliances globally [2].

Description

Between 2022 and 2023 [4] [6] [7], threat actors exploited the CVE-2022-42475 vulnerability to gain permanent access to systems, deploying the Coathanger RAT malware on over 14,000 devices, including those of the government of the Netherlands [3]. This campaign specifically targeted Western governments, international organizations [1] [2] [4] [5] [6] [7], and defense industry companies [1] [4] [6], infecting nearly 14,000 devices [2] [7]. The Coathanger malware [1] [4] [6], used in conjunction with any present or future vulnerability in FortiGate devices [6], is reminiscent of previous Chinese espionage efforts targeting cybersecurity appliances like Barracuda ESG and SonicWall SMA appliances [1]. By exploiting a buffer overflow in FortiOS [2], the attackers installed a backdoor known as COATHANGER [2], allowing them to maintain persistent access to compromised devices [2]. Despite patches being available [3], the RAT is still present on many devices [3], evading antivirus programs [3]. Dutch authorities have warned of ongoing infiltration and access to sensitive systems [5], indicating that the campaign is much more extensive than previously known [5], posing significant cybersecurity risks to edge network devices [7].

Conclusion

The ongoing infiltration and access to sensitive systems by the Coathanger RAT malware highlights the significant cybersecurity risks posed to edge network devices. Mitigating these risks will require enhanced security measures and vigilance in detecting and responding to cyber threats. The implications of this campaign underscore the importance of proactive cybersecurity measures to protect critical infrastructure and sensitive data from state-sponsored cyber threats.

References

[1] https://www.infosecurity-magazine.com/news/chinese-fortigate-espionage-20000/
[2] https://duo.com/decipher/thousands-of-fortigate-devices-compromised-in-ongoing-campaign
[3] https://www.techradar.com/pro/security/thousands-of-fortigate-vpn-systems-hit-by-chinese-hackers
[4] https://www.abijita.com/chinese-hackers-breach-over-20000-fortigate-systems-worldwide-in-extensive-cyber-espionage-campaign/
[5] https://cyberscoop.com/chinese-cyber-espionage-campaign-targets-dozens-of-western-governments-dutch-officials-say/
[6] https://www.helpnetsecurity.com/2024/06/12/coathanger-fortigate/
[7] https://www.scmagazine.com/brief/vulnerable-fortigate-systems-targeted-by-global-chinese-cyberespionage-campaign