Dutch government officials say hackers working for the Chinese government used a critical vulnerability that Fortinet did not disclose for two weeks after fixing it to gain access to more than 20,000 VPN devices sold by the company.
Tracked as CVE-2022-42475, the vulnerability is a heap-based buffer overflow that could allow hackers to execute malicious code remotely. It has a severity rating of 9.8 out of 10. Network security software maker Fortinet quietly patched the vulnerability on November 28, 2022, but did not mention the threat until December 12 of the same year, when it announced it had become aware of “examples of this vulnerability being exploited in the wild.” On January 11, 2023, more than six weeks after the vulnerability was patched, Fortinet warned that threat actors were exploiting it to infect government and government-related organizations with sophisticated custom-made malware.
Introducing CoatHanger
Dutch authorities first reported in February that Chinese government hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor, tracked as CoatHanger, on Fortigate appliances within the Dutch Ministry of Defense. Once installed, the unprecedented malware, designed specifically for the underlying FortiOS operating system, was able to remain persistent on the device across reboots and firmware updates. CoatHanger was also able to evade traditional detection measures, authorities warned. However, the damage from the breach was limited because the infection was confined to segments reserved for non-sensitive use.
Officials from the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service said on Monday that Chinese government hackers had so far used critical vulnerabilities to infect more than 20,000 FortiGate VPN appliances sold by Fortinet Inc. Targets include dozens of Western government agencies, international organizations and companies in the defense industry.
“Since then, MIVD has conducted further investigations that have revealed that Chinese cyber espionage operations are much more widespread than previously known,” Dutch National Cyber Security Centre officials wrote. “The NCSC therefore calls for special attention to this activity and the exploitation of vulnerabilities in edge devices.”
Monday’s report said exploitation of the vulnerability began two months before Fortinet first disclosed it, installing backdoors on 14,000 servers during the zero-day period. Officials warned that because CoatHanger is so difficult to detect and remove, the Chinese threat group probably still has access to many victims.
Dutch government officials wrote in a report on Monday:
Since its announcement in February, MIVD has continued to investigate a broader Chinese cyber espionage campaign, which revealed that a state actor gained access to at least 20,000 FortiGate systems around the world within a few months in both 2022 and 2023 using a vulnerability with identifier CVE-2022-42475. Furthermore, the investigation has found that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called “zero-day” period, the actor alone infected 14,000 devices. Targets included dozens of (Western) governments, international organizations, and numerous companies in the defense industry.
The nation-state actor later installed malware on associated targets, which gave the actor persistent access to the systems that the actor would continue to have even if the victim installed security updates from FortiGate.
It is unclear how many victims actually had the malware installed, but the Dutch intelligence agency and the NCSC believe the nation-state attackers could then expand access to hundreds of victims around the world to carry out additional actions, such as data theft.
Despite technical reports on the COATHANGER malware, infections caused by this actor are difficult to identify and remove, which is why the NCSC and Dutch intelligence agency say it’s likely that nation-state actors still have access to a large number of victim systems.
Fortinet’s failure to disclose in a timely manner is particularly serious given the severity of the vulnerability. Disclosure is critical because it helps users prioritize patch installation. When minor bugs are fixed in new versions, many organizations often wait to install them. When a vulnerability with a severity of 9.8 is fixed, users are much more likely to expedite the update process. Given that the vulnerability was being exploited in the wild before Fortinet fixed it, disclosure would not have prevented all infections, but it would have stopped some.
Fortinet officials did not explain why they did not disclose the critical vulnerabilities when they were fixed, nor did they disclose the company’s policy on disclosing security vulnerabilities. Company representatives did not immediately respond to an email seeking comment on this post.
