Fortinet network devices helped deploy the COATHANGER backdoor for espionage.
Chinese government hackers broke into the computer network of the Dutch armed forces, using a vulnerability in Fortinet FortiGate devices.
According to a statement from the Dutch Military Intelligence and Security Service (MIVD), the affected computer network was used for unclassified research and development (R & D). Since the system was self-contained, it did not cause any damage to the security network. The network had less than 50 users.
During the hack, which occurred in 2023, attackers exploited a critical FortiOS SSL VPN vulnerability ( CVE-2022-42475, CVSS score: 9.8), which allows an unauthenticated attacker to execute arbitrary code through specially created requests.
The successful exploitation of the vulnerability paved the way for the deployment of a backdoor called COATHANGER from the hacker's C2 server, designed to provide permanent remote access to compromised devices.
The National Cybersecurity Center of the Netherlands explained that the COATHANGER malware is "stealthy and resilient." COATHANGER lurks by intercepting system calls that might reveal its presence. The program remains in the system even after an update or reboot.
It is worth noting that the mentioned flaw was exploited back in October 2022 in the espionage campaigns of Chinese hackers aimed at European government networks. Then the vulnerability was used to deliver the BOLDMOVE backdoor, which was specifically designed to work on Fortinet FortiGate firewalls.
MIVD attributes hacking attacks and malware activities to political hackers from China with a "high degree of confidence". It is indicated that malware was also detected in the networks of the Western international mission and several other organizations. According to Dutch intelligence officials, the virus was developed specifically for FortiGate network screens. The incident marks the first time that the Netherlands has publicly attributed a cyber espionage campaign to China.
Fortinet Network Devices
According to Mandiant, Internet-facing devices, such as firewalls, IPS and IDS devices, are attractive targets for cyber-bandit attacks.
First, they have access to the Internet. This means that if you have the right exploit, access to the network can be provided without any interaction with the victim, which allows the attacker to clearly control the operation time and reduce the chances of detection.
Secondly, although network devices are designed to check network traffic, search for anomalies, and signs of malicious behavior, they are often vulnerable to hacker attacks.
Exploits to compromise such devices are difficult to develop, so they are often used against high-priority targets — in the public and defense sectors.
According to Mandiant, there are no mechanisms yet in place to detect malicious processes running on such network devices, which makes network devices a blind spot for security professionals and allows attackers to hide in them, keeping them hidden for a long time. You can also use them to gain a foothold in the target network.
Chinese government hackers broke into the computer network of the Dutch armed forces, using a vulnerability in Fortinet FortiGate devices.
According to a statement from the Dutch Military Intelligence and Security Service (MIVD), the affected computer network was used for unclassified research and development (R & D). Since the system was self-contained, it did not cause any damage to the security network. The network had less than 50 users.
During the hack, which occurred in 2023, attackers exploited a critical FortiOS SSL VPN vulnerability ( CVE-2022-42475, CVSS score: 9.8), which allows an unauthenticated attacker to execute arbitrary code through specially created requests.
The successful exploitation of the vulnerability paved the way for the deployment of a backdoor called COATHANGER from the hacker's C2 server, designed to provide permanent remote access to compromised devices.
The National Cybersecurity Center of the Netherlands explained that the COATHANGER malware is "stealthy and resilient." COATHANGER lurks by intercepting system calls that might reveal its presence. The program remains in the system even after an update or reboot.
It is worth noting that the mentioned flaw was exploited back in October 2022 in the espionage campaigns of Chinese hackers aimed at European government networks. Then the vulnerability was used to deliver the BOLDMOVE backdoor, which was specifically designed to work on Fortinet FortiGate firewalls.
MIVD attributes hacking attacks and malware activities to political hackers from China with a "high degree of confidence". It is indicated that malware was also detected in the networks of the Western international mission and several other organizations. According to Dutch intelligence officials, the virus was developed specifically for FortiGate network screens. The incident marks the first time that the Netherlands has publicly attributed a cyber espionage campaign to China.
Fortinet Network Devices
According to Mandiant, Internet-facing devices, such as firewalls, IPS and IDS devices, are attractive targets for cyber-bandit attacks.
First, they have access to the Internet. This means that if you have the right exploit, access to the network can be provided without any interaction with the victim, which allows the attacker to clearly control the operation time and reduce the chances of detection.
Secondly, although network devices are designed to check network traffic, search for anomalies, and signs of malicious behavior, they are often vulnerable to hacker attacks.
Exploits to compromise such devices are difficult to develop, so they are often used against high-priority targets — in the public and defense sectors.
According to Mandiant, there are no mechanisms yet in place to detect malicious processes running on such network devices, which makes network devices a blind spot for security professionals and allows attackers to hide in them, keeping them hidden for a long time. You can also use them to gain a foothold in the target network.
