Fortinet VPN Hack (Recent Updates).

State-sponsored hackers from China have breached over 20,000 Fortinet FortiGate systems globally by exploiting a critical vulnerability. This breach, which occurred between 2022 and 2023, emphasizes the significant impact of cyber espionage on global cybersecurity.

The Breach

The Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have disclosed that Chinese hackers infiltrated these systems by exploiting a known FortiOS remote code execution vulnerability, CVE-2022-42475. This vulnerability, a heap-based buffer overflow with a severity rating of 9.8 out of 10, allows attackers to execute malicious code remotely.

Fortinet silently fixed this vulnerability on November 28, 2022, but only publicly disclosed it on December 12, 2022, after acknowledging that it had been exploited in the wild. By this time, the damage had already been extensive. The hackers had exploited the vulnerability at least two months before Fortinet's announcement, infecting 14,000 devices during this zero-day period alone.

Coathanger Malware

Once inside the systems, the attackers deployed a sophisticated remote access trojan (RAT) dubbed "Coathanger." This malware is insidious because it can survive reboots and firmware upgrades, making it extremely difficult to detect and remove. The Coathanger RAT intercepts system calls to avoid detection and creates a persistent backdoor, allowing the attackers to maintain access to the compromised systems.

Scope and Impact

The scope of this cyber-espionage campaign is unprecedented. The attackers targeted a range of entities, including dozens of Western governments, international organizations, and numerous companies within the defense industry. The exact number of victims remains unknown, but it is believed that the state-sponsored group could potentially expand its access to hundreds of victims worldwide, carrying out additional malicious activities such as data theft.

Recent Findings

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) provided further details about the breach. They confirmed that the Chinese hackers continued their exploitation into 2023, revealing the broader impact of the campaign. The Dutch National Cyber Security Center (NCSC) also released a report on a Monday following the February disclosure, emphasizing the extensive nature of the Chinese cyber-espionage campaign and the ongoing risk posed by the Coathanger malware.

Response and Mitigation

The Dutch National Cyber Security Center (NCSC) and other cybersecurity authorities have issued advisories with indicators of compromise and various detection methods. However, due to the stealthy nature of the Coathanger malware, discovering and cleaning up infected devices remains a significant challenge. The only known way to remove the malware is to format the device and reinstall and reconfigure the firmware.

Conclusion

The Fortinet VPN breach is a stark reminder of the vulnerabilities inherent in edge devices, such as firewalls, VPN servers, and routers. As cyber-espionage campaigns become more sophisticated, organizations must stay vigilant, ensure timely patching of critical vulnerabilities, and enhance their cybersecurity defenses to protect against such pervasive threats.