HQ/EMEAFind out how we can help your business
The Dutch Military Intelligence and Security Service disclosed an advisory about a Chinese cyber espionage campaign previously discovered targeting FortiGate systems earlier this year. Reports stated that this campaign has much more significant consequences than previously identified.
According to a joint report, these Chinese hackers exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) between 2022 and 2023 to launch a malware strain on vulnerable FortiGate network security appliances.
The agency revealed that the actor infected about 14,000 devices during the unpatched zero-day. The infected entities included dozens of governments, international organisations, and various defence sectors.
The FortiGate hackers have conducted a cyberespionage campaign using a remote access trojan.
The Chinese hackers who targeted FortiGate employed a remote access trojan called Coathanger. However, the campaign remained isolated in one system as it could not move to additional computers due to network segmentation.
The authorities discovered that a previously undiscovered malware strain capable of surviving system reboots and firmware upgrades was also used by a Chinese state-sponsored hacking group in a political espionage campaign against the Netherlands and its allies.
Researchers have yet to know how much malware has successfully infected victims. Dutch authorities consider that the state actor could potentially expand its access to hundreds of victims globally, allowing its operators to carry out additional actions such as stealing data.
Since February, the Dutch military intelligence service has discovered that the Chinese threat organisation gained access to at least 20,000 FortiGate systems worldwide in 2022 and 2023 over a few months, at least two months before Fortinet reported the CVE-2022-4275 vulnerability.
They believe Chinese hackers still have access to many victims because the Coathanger malware is difficult to detect. It intercepts system calls to conceal its presence, and security solutions find it difficult to delete because it survives firmware updates.
Fortinet also revealed in January last year that hackers used the CVE-2022-42475 flaw as a zero-day to target government organisations and connected businesses.
The Chinese hacking group’s increase in cyber espionage activities is very concerning for organisations worldwide. Therefore, government and private entities should ensure the security of their systems by updating solutions to avoid flaws that would allow threat actors to exploit.
