Fortinet gets owned... again

[OVERKILL]

Chinese hackers infect Dutch military network with malware

A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands.

www.bleepingcomputer.com

A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands.

However, despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.

"The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks," said MIVD and the General Intelligence and Security Service (AIVD) in a joint report.

"The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident."

During the follow-up investigation, a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances, was also discovered on the breached network.

"Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades," the two Dutch agencies warned.

"Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied."

The malware operates stealthily and persistently, hiding itself by intercepting system calls to avoid revealing its presence. It also persists through system reboots and firmware upgrades.

The Chinese hackers deployed the Coathanger malware for cyber espionage purposes on vulnerable FortiGate firewalls they compromised by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability.

CVE-2022-42475 was also exploited as a zero-day in attacks targeting government organizations and related targets, as Fortinet disclosed in January 2023.

These attacks also share many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware also designed to survive firmware upgrades.

And this is not the first time security vulnerabilities have been found in their products, and exploited.

Saw this on twitter and thought it captured it well, lol:

 

[Danno]

Anything connected to the internet can be hacked.

 

[jhellwig]

I am supersized any fortinet equipment is capable of being hacked because the stuff I have been around is barley capable of operating.

 

[OVERKILL]

Anything connected to the internet can be hacked.

Yes, but the number of bumbles by a company that makes firewalls... Not a great optic.

 

[Danno]

Yes, but the number of bumbles by a company that makes firewalls... Not a great optic.

Sounds like Boeing lately. Can't build a quality product if their business depended on it. Letting all those senior engineers go 2010+ish has had consequences.

 

[OVERKILL]

And the hits keep coming:

 

[goingplacesanddoingstuff]

China was also behind the Ivanti exploits recently. Is this normal or is their nefarious activity increasing?

 

[OVERKILL]

China was also behind the Ivanti exploits recently. Is this normal or is their nefarious activity increasing?

I would say it's increasing.

 

[mk378]

Any software that is exploitable will get exploited. State-sponsored hacking is a thing, especially against military targets.