Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FortiGate devices. Show all posts

Dutch Intelligence Warns of Extensive Chinese Cyber-Espionage Campaign


 

The Dutch Military Intelligence and Security Service (MIVD) has issued a warning about the far-reaching consequences of a Chinese cyber-espionage operation disclosed earlier this year. According to the MIVD, the scale of this campaign is "much larger than previously known," impacting numerous systems across multiple sectors. 

In a joint report with the General Intelligence and Security Service (AIVD) released in February, the MIVD described how Chinese hackers exploited a critical vulnerability in FortiOS/FortiProxy (CVE-2022-42475). This remote code execution flaw was used over several months between 2022 and 2023 to deploy malware on susceptible Fortigate network security devices. During this "zero-day" period, about 14,000 devices were compromised. Targets included various Western governments, international organizations, and many companies within the defense industry. 

The malware, identified as the Coathanger remote access trojan (RAT), was detected on a network used by the Dutch Ministry of Defence for research and development (R&D) of unclassified projects. However, network segmentation prevented the attackers from spreading to other systems. The MIVD highlighted that this previously unknown malware strain could persist through system reboots and firmware upgrades. It was used by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies. 

This persistent access allowed the state actor to maintain control over compromised systems even after security updates were applied. "The exact number of victims with malware installed is unknown," stated the MIVD. "However, the Dutch intelligence services and the NCSC believe that the state actor could potentially expand its access to hundreds of victims worldwide and engage in further actions such as data theft." Since February, the Dutch military intelligence service discovered that the Chinese threat group had accessed at least 20,000 FortiGate systems globally over a span of a few months in 2022 and 2023, beginning at least two months before Fortinet disclosed the vulnerability. 

The Coathanger malware's ability to intercept system calls to avoid detection and its resilience against firmware upgrades make it particularly difficult to remove. Fortinet disclosed in January 2023 that the CVE-2022-42475 vulnerability was exploited as a zero-day to target government organizations and related entities. The MIVD's findings mirror the characteristics of another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) devices with cyber-espionage malware designed to withstand firmware updates. 

The revelations from Dutch intelligence underscore the increasing sophistication and persistence of state-sponsored cyber-espionage campaigns. As cyber threats continue to evolve, the importance of robust cybersecurity measures and vigilant monitoring becomes ever more critical to protect sensitive information and infrastructure from these advanced persistent threats.

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.