China State Hackers Exploit Critical Vulnerability in Fortinet VPNs

The Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) recently said in a report (PDF) that in 2022 and 2023, Chinese state hackers exploited a critical vulnerability in Fortinet’s VPN appliances to install malware called CoatHanger, according to a summary of the report provided by the Dutch National Cyber Security Center (NCSC). The hackers, who were previously identified in the Netherlands’ investigation as the Chinese state, breached at least 20,000 FortiGate firewalls worldwide, the MIVD found.

The RCE vulnerability in question, CVE-2022-42475, is a heap-based buffer overflow in Fortinet’s FortiOS operating system that could allow an attacker to execute code without authentication. Fortinet patched the vulnerability in November, but a security researcher discovered the flaw being exploited in the wild in late December. Fortinet didn’t disclose the vulnerability until January 2023, after MIVD reported that it had discovered the vulnerability being exploited on Dutch Ministry of Defence systems.

The NCSC and the Dutch intelligence services wrote in the report that they suspect China’s state actors will continue to have access to the compromised systems for some time. They note that the malware used in the campaign is “difficult to identify and remove” and that the hackers behind the campaign could potentially steal data from the infected systems.

This isn’t the first time that Chinese state hackers have been accused of using the CoatHanger malware. In November, researchers at antivirus maker ESET said that the Chinese state-sponsored hacking group APT41 had likely used the malware to target the U.S. defense industry.

Fortinet is said to have patched the vulnerability that the Chinese hackers exploited in 2022 and 2023. However, the NCSC and the Dutch intelligence services write in their report that unnamed security researchers have discovered additional vulnerabilities in Fortinet’s products that could allow remote code execution, including a bug that could potentially be exploited to install CoatHanger.

The NCSC and the Dutch intelligence services say that they’ll soon publish technical details about the vulnerabilities and the CoatHanger malware, potentially setting the stage for further attacks by other threat actors. “The NCSC will also alert relevant organizations regarding the risk of APT41 actively exploiting the vulnerabilities in Fortinet products,” the organizations said in a statement accompanying the report.

This is what they’ve said (auto-translated)

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the characteristic CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

https://www.ncsc.nl/actueel/nieuws/2024/juni/10/aanhoudende-statelijke-cyberspionagecampagne-via-kwetsbare-edge-devices

The NCSC and the Dutch intelligence services urge Fortinet customers and others to install the latest patches as soon as they’re made available. “The NCSC, MIVD, and AIVD call on organizations to install the updates as soon as possible and to scan their networks for the presence of malware,” the organizations wrote. This comes just a few months after Fortinet issued a patch for a critical FortiGate SSL VPN vulnerability.