Dutch NCSC warns of ongoing Chinese FortiGate attacks

About 14,000 firewalls breached before Fortinet knew about the flaw

Dutch NCSC warns of ongoing Chinese FortiGate attacks

The Netherlands' cybersecurity agency (NCSC) has warned that a Chinese cyberespionage campaign, first reported earlier this year, is far more extensive than previously thought.

"Since the publication in February, the [Dutch Military Intelligence and Security Service (MIVD)] has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability indexed as CVE-2022-42475," NCSC said (translated).

"Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability."

Around 14,000 firewalls were breached during a "zero-day window" - the two months before Fortinet even knew about the vulnerability.

The campaign targeted Western governments, diplomatic organisations, and a large number of companies within the defence industry.

Authorities in February announced details of a cyberattack that hit the Dutch Ministry of Defence (MoD) in November 2023.

The attack, attributed to Chinese state-sponsored hackers, was aimed at espionage and utilised a sophisticated piece of malware dubbed "Coathanger."

The attempted intrusion prompted an immediate investigation by the Netherlands' MIVD and the General Intelligence and Security Service (AIVD).

The joint effort led to the discovery of Coathanger, a previously unknown remote access trojan (RAT) designed to target Fortinet's FortiGate firewalls.

The authorities said the attackers initially gained access to the MoD's network by exploiting a vulnerability identified as CVE-2022-42475. Fortinet silently patched the flaw in November 2022 but failed to disclose the issue for two weeks.

This delay left a significant window of opportunity for attackers. Malicious actors used the vulnerability to breach the MoD's defences and install Coathanger, which operates as second-stage malware.

The RAT is designed to maintain persistent access for the attackers, surviving system reboots and firmware upgrades.

One of Coathanger's key characteristics is its ability to evade traditional detection measures. The malware hooks most system calls that could reveal its presence, making it undetectable using default FortiGate command-line interface commands.

Even fully patched FortiGate appliances could remain compromised if they were infected with Coathanger before the firmware upgrade.

"It is not known how many victims actually have malware installed," the NCSC says in its latest post.

"The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data."

The agency also underscored the growing trend of attacks targeting edge devices like firewalls. These devices are often lower in security measures than core systems, and can be a weak point for attackers.

It urges organisations to be vigilant and take immediate steps to identify and remove any potential Coathanger infections.

"Initial compromise of an IT network is difficult to prevent if the attacker uses a zero-day. It is therefore important that organisations apply the 'assume breach' principle. This principle states that a successful digital attack has already taken place or will soon take place," NCSC said.

"Based on this, measures are taken to limit the damage and impact. This includes taking mitigating measures in the areas of segmentation, detection, incident response plans and forensic readiness."