China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally

In a significant cybersecurity incident, state-sponsored hackers backed by China have exploited a critical vulnerability in Fortinet FortiGate systems, infecting 20,000 devices worldwide. This blog breaks down the details of the attack, its impact, and the implications for cybersecurity.

The Fortinet Flaw:

The attackers took advantage of a known critical security flaw (CVE-2022-42475) in Fortinet FortiGate systems. This flaw allows remote code execution, meaning hackers can take control of affected systems from afar. Alarmingly, the hackers knew about this vulnerability at least two months before Fortinet publicly disclosed it, giving them a head start to exploit it.

Scope of the Attack:

Between 2022 and 2023, the hackers infected 20,000 FortiGate devices globally, with 14,000 devices compromised during the initial two-month "zero-day" period. The attack targeted numerous Western governments, international organizations, and companies within the defense industry. The specific names of these entities have not been disclosed.

Dutch National Cyber Security Centre Findings:

The Dutch National Cyber Security Centre (NCSC) revealed these findings in a new bulletin. An earlier advisory in February 2024 had already noted that attackers breached a network used by the Dutch armed forces using this vulnerability. The attackers deployed a backdoor named COATHANGER, which allowed them to maintain persistent remote access to the compromised systems and potentially launch further attacks.

Strategic Malware Deployment:

Interestingly, the attackers chose to install the malware long after gaining initial access to ensure they retained control over the devices. However, the exact number of infected devices with the COATHANGER implant remains unclear.

Implications and Security Challenges:

This attack highlights the growing trend of cyber threats targeting edge devices—those located at the boundary of IT networks with direct internet connections. Edge devices often lack robust security measures, such as Endpoint Detection and Response (EDR) solutions, making them attractive targets for malicious actors.

The exploitation of the Fortinet flaw by China-backed hackers underscores the critical need for vigilance and proactive cybersecurity measures. Organizations must prioritize securing edge devices and stay updated on vulnerabilities to prevent such breaches. As cyber threats continue to evolve, maintaining robust defenses and timely patching of known vulnerabilities are essential to protect sensitive information and infrastructure.