Jun 12 2024

20,000 FortiGate appliances compromised by Chinese hackers

Category: Hacking,Security Breachdisc7 @ 7:43 am

How Coathanger persists on FortiGate devices

In February 2024, the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) made it known that Chinese state-sponsored hackers breached the Dutch Ministry of Defense in 2023 by exploiting a known FortiOS pre-auth RCE vulnerability (CVE-2022-42475), and used novel remote access trojan malware to create a persistent backdoor.

The RAT was dubbed Coathanger and found to be capable of surviving reboots and firmware upgrades. It’s also difficult to detect its presence by using FortiGate CLI commands, and to remove it from compromised devices.

The security services shared indicators of compromise and a variety of detection methods in an advisory, and explained that “the only currently identified way of removing [it] from an infected FortiGate device involves formatting the device and reinstalling and reconfiguring the device.”

They also attributed the intrusion and the malware to a Chinese cyber-espionage group.

A widespread campaign

On Monday, the Dutch National Cyber Security Center said that the MIVD continued to investigate the campaign, and found that:

  • The threat actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023
  • They exploited the FortiOS vulnerability (CVE-2022-42475) as a zero-day, at least two months before Fortinet announced it

“During this so-called ‘zero-day’ period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry,” the NCSC said.

The threat actor installed the Coathanger malware at a later time, on devices of relevant targets.

“It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data,” they said, and added that given the difficult discovery and clean-up process, “it is likely that the state actor still has access to systems of a significant number of victims.”

Another problem is that the Coathanger malware can be used in combination with any present or future vulnerability in FortiGate devices – whether zero- or N-day.

Advice for organizations

“Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organizations apply the ‘assume breach’ principle,” the NCSC opined.

“This principle states that a successful digital attack has already taken place or will soon take place. Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness.”

(In the attack targeting the Dutch MoD, the effects of the intrusion were limited due to effective network segmentation.)

Finally, the NCSC noted that the problem is not specifically Fortinet appliances, but “edge” devices – firewalls, VPN servers, routers, SMTP servers, etc. – in general.

“Recent incidents and identified vulnerabilities within various edge devices show that these products are often not designed according to modern security-by-design principles,” they said. Because almost every organization has one or more edge devices deployed, they added, it pays for threat actors to look for vulnerabilities affecting them.

The NCSC has, therefore, published helpful advice on how organizations should deal with using edge devices.

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: Chinese hackers, FortiGate appliances, The Hacker and the State


Nov 21 2022

Chinese Hackers Using 42,000 Phishing Domains To Drop Malware On Victims Systems

Category: Hacking,Malware,PhishingDISC @ 11:13 am

An extensive phishing campaign targeting businesses in numerous upright markets, including retail, was discovered by Cyjax recently in which the attackers exploited the reputation…

China’s Playbook – new Art of War

War Without Rules: China's Playbook for Global Domination

Tags: Art of war, China's Playbook, Chinese hackers


Mar 24 2022

macOS Malware of Chinese Hackers Storm Cloud Exposed

Category: MalwareDISC @ 11:44 am

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics

Tags: Chinese hackers, Storm Cloud, The Hacker and the State


Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap