China’s FortiGate attacks more extensive than first thought

The Netherlands’ cybersecurity agency (NCSC) says the previously reported attack on the country’s Ministry of Defense (MoD) was far more extensive than previously thought.

The NCSC first published details of a Chinese state-sponsored malware campaign in February, but has continued to investigate the case along with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD). The attackers were using stealthy malware the NCSC calls Coathanger after targeting FortiGate boxes. 

Over the course of just a few months in 2022 and 2023, we now know that at least 20,000 FortiGate systems were compromised as a result of this China-linked activity, with around 14,000 being broken into during what investigators are calling a “zero-day period” – the two months before Fortinet became aware of the vulnerability. 

The software flaw in question is CVE-2022-42475 – a critical (9.8) buffer overflow bug in FortiOS SSL-VPN allowing for remote code execution. Without going into specifics, the NCSC said the types of victims included “several” Western governments, international organizations, and a “large number” of defense companies.

After establishing an initial foothold in FortiGate systems, the attackers would wait to deploy the Coathanger malware – named after the “peculiar phrase” displayed during its encryption process – at a later date to establish persistent access even after updates were installed. 

Authorities said back in February that the only way to remove a Coathanger infection was to completely reformat the device.

Coathanger itself is a remote access trojan (RAT) developed specifically for use on compromised FortiGate next-generation firewalls, and is distinct from other FortiGate-specific RATs like BOLDMOVE.

Dutch intelligence believes there are still a significant number of systems that remain infected and under the control of the Chinese attackers behind the campaign.

“It is not known how many victims actually have malware installed,” said the NCSC this week. 

“The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.”

The NCSC echoed much of the wider industry’s observations in that attacks targeting edge services are on the up, saying devices such as Fortinet’s firewalls are popular targets due to edge devices inherent “security challenges,” referencing them being connected to the internet and often not being covered by EDR products.

Security shop WithSecure published its research today into the security of edge devices, noting that the number of vulnerabilities added to CISA’s KEV catalog on a monthly basis has increased 22 percent this year compared to 2023.

The upward trend of CVEs targeting edge devices contrasts that of non-edge, non-infrastructure vulnerabilities. While those increased in 2023, the volume of their additions to the KEV catalog dropped in 2024.

“There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, a piece of software that is accessible from the Internet,” said Stephen Robinson, senior threat analyst at WithSecure Intelligence.

“What many exploited edge services have in common is that they are infrastructure devices, such as firewalls, VPN gateways, or email gateways, which are commonly locked down black box-like devices. Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network.” ®