March 15, 2024
Topics
State-backed Chinese hackers infiltrated a computer network utilized by the Dutch Armed Forces targeting Fortinet’s FortiGate devices in 2023. The network was used for “unclassified research development
State-backed Chinese hackers infiltrated a computer network utilized by the Dutch Armed Forces targeting Fortinet’s FortiGate devices in 2023. The network was used for “unclassified research development.”
The Chinese hacker group which goes by many such as China-nexus and Volt Typhoon have had multiple reports of attacks on countries around the world, the U.S. being one of them.It was discovered that theywentundetected for 5 years within U.S. networks and there have been reports of the group attacking other organizations as well. An example of this is when the FBI interrupted the Chinese State-backed hackers, which at the time were attackingcritical U.S. infrastructure. The FBI announced that the group had attacked water treatment systems, the power grid, transportation systems, oil and gas pipelines, and telecommunication networks.
The National Dutch Cyber Security Centre has officially announced that the Chinese state-sponsored hackers were behind the attacks with evidence they obtained from the attack. In 2023, the hackers took advantage of a known security flaw in FortiOSdescribed in CVE-2022-42475.CVE-2022-42475 is a critical heap-based buffer overflow vulnerability affecting certain versions of FortiOS SSL-VPN and FortiProxy SSL-VPN software.The attack code-named COATHANGER, is a type of Remote Access Trojan that allows an attacker to control a victim's system remotely without their knowledge.COATHANGER is also linked to BOLDMOVE, another malicious software, which is connectedtothe Chinese hackers. When Coathanger attacks it takes control and compromises FortiGate devices. This led the National Dutch Cyber Security Centre to believe that theChinese government was behind the attack.
The New Jersey Cybersecurity and Communications Integration Cell recommends staying updated with all FortiGate appliances after the appropriate patching has been released. Organizations are encouraged to conduct vulnerability scans regularly which will significantly strengthen the protection of appliances and security for company defense on FortiGate devices.
What was unique about COATHANGER was how stealthy and hard to detect it was for the FortiGate CLI commands. It was able to log onto the device without being seen as malicious content.
