A campaign by Chinese state-sponsored attackers targeting a bug in Fortinet’s FortiOS SSL VPN software has resulted in the compromise of more than 20,000 FortiGate security appliances in the last few months, and many of them were compromised before the vulnerability became public, Dutch government security officials said.
The attacks involve exploitation of a buffer overflow (CVE-2022-42475) in FortiOS, which Fortinet disclosed and patched in December 2022. At the time of the disclosure, the flaw was already being exploited by attackers, but it wasn’t until earlier this year that researchers identified a widespread campaign targeting vulnerable appliances. In that campaign, disclosed by the Dutch Military Intelligence and Security Service (MIVD), the attackers exploited the bug and installed a backdoor known as COATHANGER in order to maintain persistent access to the compromised devices.
“This RAT is a targeted persistent malware that operates outside of traditional detection measures and is specifically designed for FortiGate devices. Another feature is that this malware is not aimed at gaining access to systems but at maintaining access,” the MIVD said in an analysis of the malware in February.
At the time of that initial report, the MIVD said that it had found the malware on several systems during incident response engagements, but the scope of the campaign has since become clearer. The agency said this week that it had identified more than 20,000 FortiGate appliances that have been compromised by the unnamed Chinese actor.
“Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475,” the agency said.
“Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry. The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.”
Fortinet released fixes for the vulnerability in December 2022, but organizations are often slow to patch edge security devices. Attackers know this and the last few years have seen a marked increase in attacks on these devices, which offer privileged access to an organization’s network.
“The NCSC and the Dutch intelligence services have been seeing a trend for some time that vulnerabilities in publicly accessible edge devices such as firewalls, VPN servers, routers and email servers are being exploited. Due to the security challenges of edge devices, these devices are a popular target for malicious parties. Edge devices are located at the edge of the IT network and regularly have a direct connection to the internet. In addition, these devices are often not supported by Endpoint Detection and Response (EDR) solutions,” the MIVD said.