The Dutch Military Intelligence and Security Service (MIVD) warned today that the impact of a Chinese cyber-espionage campaign unveiled earlier this year is "much larger than previously known."
As the MIVD disclosed in February in a joint report with the General Intelligence and Security Service (AIVD), Chinese hackers exploited a critical FortiOS/FortiProxy remote code execution vulnerability (CVE-2022-42475) over a few months between 2022 and 2023 to deploy malware on vulnerable Fortigate network security appliances.
"During this so-called 'zero-day' period, the actor infected 14,000 devices alone. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry," the MIVD said.
The Coathanger remote access trojan (RAT) malware used in the attacks was also found on a Dutch Ministry of Defence network used in the research and development (R&D) of unclassified projects. Still, due to network segmentation, the attackers were blocked from moving to other systems.
The MIVD found that this previously unknown malware strain, which could survive system reboots and firmware upgrades, was deployed by a Chinese state-sponsored hacking group in a political espionage campaign targeting the Netherlands and its allies.
"This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to keep this access," the MIVD added.
"It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand his access to hundreds of victims worldwide and carry out additional actions such as stealing data."
At least 20,000 Fortigate systems breached
Since February, the Dutch military intelligence service has discovered that the Chinese threat group obtained access to at least 20,000 FortiGate systems worldwide in 2022 and 2023 over a span of a few months, at least two months before Fortinet disclosed the CVE-2022-42475 vulnerability.
The MIVD believes the Chinese hackers still have access to many victims because the Coathanger malware is difficult to detect as it intercepts system calls to avoid revealing its presence and is also challenging to remove since it survives firmware upgrades.
CVE-2022-42475 was also exploited as a zero-day to target government organizations and related entities, as disclosed by Fortinet in January 2023.
These attacks bear many similarities to another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access (SMA) appliances with cyber-espionage malware designed to withstand firmware upgrades.
Comments
powerspork - 3 weeks ago
They did publish a document detailing how to detect infections named: TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf
The (console) gist of it:
Run "fnsysctl ls -la /bin" in console. Mine only had 1 or 2 datetime stamps here. Ignore symlinks (items with -> in the name). Strange datetimes could indicate infection.
Run "diagnose sys tcpsock" in console. Look for suspicious outbound HTTPS connections to C2. Mine was mostly sslvpn daemon and HA daemon.
Run "fnsysctl ps" to get all processes. Get the PIDs with "diagnose sys process pidof httpsd" (httpsd is example process). Run "diagnose sys process dump <PID>". If it returns GID of 90, that indicates infection. When the process map includes deleted entries linked to /data2/(process name) or any entries to /data2/.bd.(key)/preload.so, the device is infected.
Check that PDF for more detail and detection methods.
NoneRain - 3 weeks ago
Nice! Thanks for the info.
GEEO - 3 weeks ago
Hey, can a noob like me do that? All I need to do is type what you said in the normal CMD ?