How Coathanger persists on FortiGate devices
In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.
The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.
The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”
They also attributed the intrusion and the malware to a Chinese cyber-espionage group.
A widespread campaign
On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:
- The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
- They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it
“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.
The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.
“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”
Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.
Advice for organizations
“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.
“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”
(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)
Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.
“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.
The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot
