Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD

June 11, 2024

The Dutch Military Intelligence and Security Service (MIVD) has raised the alarm over the extensive impact of a Chinese cyber-espionage campaign. The campaign, which was initially disclosed in February in a joint report with the General Intelligence and Security Service (AIVD), saw Chinese hackers exploiting a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) over several months from 2022 to 2023 to infiltrate Fortigate network security appliances.

During this 'zero-day' period, a staggering 14,000 devices were infected. The targets were not random; they included numerous Western governments, international organizations, and a significant number of defense industry companies. The MIVD has also discovered the Coathanger remote access trojan (RAT) malware on a network of the Dutch Ministry of Defence used for research and development (R&D) of unclassified projects. However, due to network segmentation, the intrusion was contained, preventing the hackers from accessing other systems.

According to the MIVD, this previously unidentified malware strain, capable of surviving system reboots and firmware upgrades, was the tool of choice for a Chinese state-sponsored hacking group. The group was engaged in a political espionage campaign targeting the Netherlands and its allies. 'This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to keep this access,' the MIVD stated.

The extent of the damage is still uncertain, as it is unknown how many victims have the malware installed. However, Dutch intelligence services and the National Cyber Security Centre (NCSC) believe that the state actor could potentially extend its reach to hundreds of victims worldwide and carry out additional actions like data theft.

Since February, the MIVD has found that the Chinese threat group gained access to at least 20,000 FortiGate systems worldwide in 2022 and 2023 over a few months, at least two months before Fortinet disclosed the CVE-2022-42475 vulnerability. The MIVD suspects that the Chinese hackers still have access to many victims, as the Coathanger malware is not only hard to detect, intercepting system calls to avoid detection, but also difficult to remove as it survives firmware upgrades.

The CVE-2022-42475 vulnerability was also exploited as a zero-day to target government organizations and related entities, as revealed by Fortinet in January 2023. This attack shares many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to withstand firmware upgrades.

Related News

• Critical Fortinet RCE Bug Exploit Released: Immediate Patching Required
• Active Exploitation of New Fortinet RCE Vulnerability Confirmed by CISA
• Chinese State Actors Deploy 'Coathanger' Malware Targeting FortiGate Devices
• Iranian Hackers Exploit Zoho and Fortinet Vulnerabilities to Breach US Aviation Organization
• Fortinet Warns of Potential Exploitation of New FortiOS RCE Vulnerability

Latest News

• Veeam Backup Enterprise Manager's Critical Authentication Bypass Flaw: Public Exploit Available
• Critical Remote Code Execution Vulnerability in PHP Could Impact Millions of Servers
• SolarWinds Patches Multiple High-Severity Vulnerabilities in Serv-U and its Platform
• Critical Remote Code Execution Vulnerability in PHP for Windows: All Versions Impacted
• Surge in Attacks on Check Point VPN Zero-Day Flaw: An Urgent Call for Immediate Action