Skip to content

Massive Cyber Breach: over 20 000 FortiGate devices exploited by RAT


Published:
Cybersecurity

In recent months, a significant cybersecurity breach has come to light, revealing the extensive reach of state-sponsored cyber-espionage. Over 20,000 FortiGate devices worldwide were compromised by Chinese state-backed actors exploiting a critical vulnerability. This breach, involving the deployment of the COATHANGER malware, has affected numerous government agencies, international organizations, and defense contractors. The Dutch National Cyber Security
Centre (NCSC), in collaboration with other intelligence agencies, has been at the forefront of investigating and mitigating this threat. This report delves into the details of the attacks, the vulnerabilities exploited, and the broader implications for global cybersecurity.

The NCSC, in collaboration with the Netherlands Office of Military Intelligence and Security (MIVD) and the Netherlands Office of General Intelligence and Security (AIVD), published an investigation into a remote access trojan (RAT) malware entitled “COATHANGER”. stating a Chinese state sponsor was responsible. Subsequently, the Dutch National Cyber Security Centre (NCSC) announced that the scope of past cyberattacks carried out by Chinese state-backed actors was “much larger than previously known.” The warning came after further investigation found that over 20,000 FortiGate devices around the world were compromised during several months between 2022 and 2023 by an attack originating in China.

The Attack was on on the Ministry of Defence (MOD) of the Netherlands

Chinese attackers infiltrated a Dutch military research and development network by exploiting the FortiGate vulnerability CVE-2022-42475. The effects were minimal due to the 50-user network being segmented from wider MOD networks. However, the Dutch Military Intelligence and Security Service (MIVD) and the Dutch General Intelligence and Security Service (AIVD) discovered the use of a previously unknown Remote Access Trojan (RAT) referred to as COATHANGER during their incident response activities. In February of this year, the Dutch National Cyber Security Centre (NCSC) published its findings on COATHANGER.

Figure 1. Report on COATHANGER from the Dutch National Cyber Security Centre (NCSC)

Chinese state sponsored hackers exploit FortiGate Vulnerability

CVE-2022-42475 is a heap-based buffer overflow vulnerability in FortiOS’s SSL-VPN feature. It allows a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted request. Fortinet disclosed the zero-day in December 2022 and the following month it was being used in zero-day attacks targeting government agencies and related groups. The company did not identify the attacker but confirmed that the vulnerability was being exploited to deploy malware.

The NCSC’s June announcement identifies the attacker as a state sponsored actor from the People’s Republic of China  noting that in the months before and after the 2022 and 2023 vulnerabilities were announced, attackers used the vulnerability to install COATHANGER malware on FortiGate devices. This led to the unauthorized access of more than 20,000 FortiGate devices worldwide, of which around 14,000 were compromised during the zero-day period. These included Western governments, international organizations, and defense contractors. The damage indicates that China’s cyber-espionage activities were quite extensive. UNC3886 was identified as the Chinese attacker who exploited the vulnerability, a group known for exploiting zero-day vulnerabilities in Fortinet and VMware products.

COATHANGER malware was used to gain access to FortiGate devices

Coathanger is typically used in conjunction with a vulnerability and is used for persistence to a victim network. The malware persists across system reboots and firmware updates, allowing the attacker to maintain access to the target. It’s also stealthy, intercepting system calls (functions used to call OS functions) to avoid detection of the malware. The NCSC published its Yara rules for Coathanger in a paper published in February for detection. However, if Coathanger is found in the system, the only option for now is to initialize the FortiGate device and reinstall and build it.

The number of victims of Coathanger is unknown, but due to difficulty in detecting and removing it, attackers likely still have access to many potential targets. The NCSC warns that attacks are likely to spread across the world, leading to information theft and other damage.

Figure 2: Hacker Group GlorySec Declares Vengeance Against Chinese Attackers

In retaliation for the 20,000 + FortiGate breaches, GlorySec, a group of hackers active around the world, declared cyberwar on China in June of this year and claimed on Telegram that it had begun attacking Chinese attackers’ systems

Summary

According to a previous NCSC report (February), it was known that an attacker believed to be a Chinese APT group was exploiting this zero-day vulnerability. However, the fact that over 20,000 systems were compromised in a short period of time was far beyond expectations. The actual number of victims is unknown at this time, and it is expected that more damage will be reported in the future due to this malware.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.

Sources:

Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.