CVE-2022-42475 Vulnerability

Between 2022 and 2023, state-sponsored threat actors linked to China infiltrated 20,000 Fortinet FortiGate systems globally by exploiting a known critical security flaw. This breach reveals a broader impact than previously acknowledged.

The state actor responsible for this operation was already aware of the vulnerability in FortiGate systems at least two months before it was disclosed by Fortinet. During this period, known as the zero-day window, the actor successfully compromised 14,000 devices.

According to a joint report by the Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) in early 2024, Chinese hackers exploited CVE-2022-42475, a critical FortiOS/FortiProxy remote code execution vulnerability. Over several months in 2022 and 2023, the attackers managed to install malware on vulnerable Fortigate network security appliances.

The Attackers Deployed the Coathanger RAT to Compromised Devices

The Coathanger Remote Access Trojan (RAT) malware, discovered in the attacks, was also detected on a network belonging to the Dutch Ministry of Defence, specifically used for Research and Development (R&D) on unclassified projects. Fortunately, due to network segmentation, the attackers were prevented from infiltrating other systems.

This previously undisclosed malware strain, capable of persisting through system reboots and firmware upgrades, was employed by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies. This granted the state actor persistent access to the compromised systems. Even with security updates installed from FortiGate, the state actor maintains this access.

The exact number of victims with the malware installed remains unknown. However, researchers speculate that the state actor could potentially extend their access to hundreds of victims worldwide, enabling further actions such as data theft.

The Cybercriminals may Still Have Access to the Breached Devices

Since February, it has come to light that a Chinese threat group gained access to over 20,000 FortiGate systems worldwide between 2022 and 2023, spanning several months, at least two months before Fortinet disclosed the CVE-2022-42475 vulnerability.

The MIVD suggests that Chinese hackers likely maintain access to numerous victims because the Coathanger malware is adept at evading detection by intercepting system calls, making its presence difficult to identify. Moreover, it's resilient to removal and survives firmware upgrades. CVE-2022-42475 was exploited as a zero-day vulnerability, primarily targeting government organizations and affiliated entities, as revealed in January 2023.

These attacks share striking similarities with another Chinese hacking campaign that focused on exploiting unpatched SonicWall Secure Mobile Access (SMA) appliances, using cyber-espionage malware designed to persist through firmware upgrades.