Cyberattack exposes Fortinet vulnerabilities
State-sponsored threat actors backed by China exploited a critical security flaw in Fortinet systems, impacting 20,000 devices globally between 2022 and 2023.
The Dutch National Cyber Security Centre (NCSC) revealed that these actors were aware of the vulnerability at least two months before Fortinet disclosed it. During this “zero-day” period, they infected 14,000 devices. The campaign targeted Western governments, international organizations, and the defense industry, although specific entities were not named.
An advisory from February 2024 highlighted that the attackers breached a Dutch armed forces network by exploiting CVE-2022-42475, a vulnerability with a CVSS score of 9.8 that allows remote code execution. This breach led to the deployment of a backdoor named COATHANGER, which provided persistent remote access to compromised devices and served as a launching point for additional malware.
The NCSC noted that the adversaries installed the malware long after initially gaining access to retain control over the devices. The exact number of infected devices remains unclear. This incident emphasizes the increasing trend of cyber attacks targeting edge appliances to breach critical networks. Edge devices are particularly vulnerable due to their direct internet connection and the lack of support from Endpoint Detection and Response (EDR) solutions.
The NCSC highlighted the security challenges posed by edge devices, which are often the focus of malicious actors due to their position at the network’s edge and their frequent direct internet connections. This incident underscores the need for enhanced security measures to protect edge appliances from sophisticated cyber threats.
