arstechnica.com Open in urlscan Pro
3.132.177.250  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to content

Ars Technica home
Sections
Forum

Subscribe

 * AI
 * Biz & IT
 * Cars
 * Culture
 * Gaming
 * Health
 * Policy
 * Science
 * Security
 * Space
 * Tech


 * Feature
 * Reviews
 * Store

 * AI
 * Biz & IT
 * Cars
 * Culture
 * Gaming
 * Health
 * Policy
 * Science
 * Security
 * Space
 * Tech

Forum

Subscribe

Story text
Size Small Standard Large Width * Standard Wide Links Standard Orange
* Subscribers only
  Learn more
Pin to story
Theme
 * HyperLight
 * Day & Night
 * Dark
 * System

Search dialog...


Sign In
Sign in dialog...
Sign in

DISCLOSURE FUBAR


CHINA STATE HACKERS INFECTED 20,000 FORTINET VPNS, DUTCH SPY SERVICE SAYS

Critical code-execution flaw was under exploitation 2 months before company
disclosed it.

Dan Goodin – 12. Juni 2024 00:56 | 61
Credit: Getty Images
Credit: Getty Images
Text settings
Story text
Size Small Standard Large Width * Standard Wide Links Standard Orange
* Subscribers only
  Learn more
Minimize to nav

Hackers working for the Chinese government gained access to more than 20,000 VPN
appliances sold by Fortinet using a critical vulnerability that the company
failed to disclose for two weeks after fixing it, Netherlands government
officials said.

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow
that allows hackers to remotely execute malicious code. It carries a severity
rating of 9.8 out of 10. A maker of network security software, Fortinet silently
fixed the vulnerability on November 28, 2022, but failed to mention the threat
until December 12 of that year, when the company said it became aware of an
“instance where this vulnerability was exploited in the wild.” On January 11,
2023—more than six weeks after the vulnerability was fixed—Fortinet warned a
threat actor was exploiting it to infect government and government-related
organizations with advanced custom-made malware.


ENTER COATHANGER

The Netherlands officials first reported in February that Chinese state hackers
had exploited CVE-2022-42475 to install an advanced and stealthy backdoor
tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of
Defense. Once installed, the never-before-seen malware, specifically designed
for the underlying FortiOS operating system, was able to permanently reside on
devices even when rebooted or receiving a firmware update. CoatHanger could also
escape traditional detection measures, the officials warned. The damage
resulting from the breach was limited, however, because infections were
contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD)
and the General Intelligence and Security Service in the Netherlands said that
to date, Chinese state hackers have used the critical vulnerability to infect
more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include
dozens of Western government agencies, international organizations, and
companies within the defense industry.

“Since then, the MIVD has conducted further investigation and has shown that the
Chinese cyber espionage campaign appears to be much more extensive than
previously known,” Netherlands officials with the National Cyber Security Center
wrote. “The NCSC therefore calls for extra attention to this campaign and the
abuse of vulnerabilities in edge devices.”


ARS VIDEO


HOW THE CALLISTO PROTOCOL'S GAMEPLAY WAS PERFECTED MONTHS BEFORE RELEASE



Monday’s report said that exploitation of the vulnerability started two months
before Fortinet first disclosed it and that 14,000 servers were backdoored
during this zero-day period. The officials warned that the Chinese threat group
likely still has access to many victims because CoatHanger is so hard to detect
and remove.




Netherlands government officials wrote in Monday’s report:

> Since the publication in February, the MIVD has continued to investigate the
> broader Chinese cyber espionage campaign. This revealed that the state actor
> gained access to at least 20,000 FortiGate systems worldwide within a few
> months in both 2022 and 2023 through the vulnerability with the identifier
> CVE-2022-42475 . Furthermore, research shows that the state actor behind this
> campaign was already aware of this vulnerability in FortiGate systems at least
> two months before Fortinet announced the vulnerability. During this so-called
> 'zero-day' period, the actor alone infected 14,000 devices. Targets include
> dozens of (Western) governments, international organizations and a large
> number of companies within the defense industry.
> 
> The state actor installed malware at relevant targets at a later date. This
> gave the state actor permanent access to the systems. Even if a victim
> installs security updates from FortiGate, the state actor continues to have
> this access.
> 
> It is not known how many victims actually have malware installed. The Dutch
> intelligence services and the NCSC consider it likely that the state actor
> could potentially expand its access to hundreds of victims worldwide and carry
> out additional actions such as stealing data.
> 
> Even with the technical report on the COATHANGER malware, infections from the
> actor are difficult to identify and remove. The NCSC and the Dutch
> intelligence services therefore state that it is likely that the state actor
> still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity
of the vulnerability. Disclosures are crucial because they help users prioritize
the installation of patches. When a new version fixes minor bugs, many
organizations often wait to install it. When it fixes a vulnerability with a 9.8
severity rating, they’re much more likely to expedite the update process. Given
the vulnerability was being exploited even before Fortinet fixed it, the
disclosure likely wouldn't have prevented all of the infections, but it stands
to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical
vulnerability when it was fixed. They have also declined to disclose what the
company policy is for the disclosure of security vulnerabilities. Company
representatives didn’t immediately respond to an email seeking comment for this
post.

Related Stories
Fortinet says hackers exploited critical vulnerability to infect VPN customers
Remote code-execution bug was exploited to backdoor vulnerable servers.

Listing image: Getty Images

Dan Goodin Senior Security Editor
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage
of malware, computer espionage, botnets, hardware hacking, encryption, and
passwords. In his spare time, he enjoys gardening, cooking, and following the
independent music scene. Dan is based in San Francisco. Follow him at here on
Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
61 Comments

Comments
Forum view
Loading comments...


Prev story
Next story
Most Read
 1. 
    1. Journal that published faulty black plastic study removed from science
    index
 2. 
    2. As firms abandon VMware, Broadcom is laughing all the way to the bank
 3. 
    3. Rocket Report: ULA has a wild idea; Starliner crew will stay in orbit
    even longer
 4. 
    4. We’re about to fly a spacecraft into the Sun for the first time
 5. 
    5. Horizon: Zero Dawn gets the graphical remaster a modern classic deserves

Customize
by Taboolaby Taboola
Sponsored LinksSponsored Links
Promoted LinksPromoted Links

Cut Your Mobile Bills Forever [Learn More]Lebara
Learn More


Undo

It's the Best Mobile Plan I've Hadyallo
Shop Now


Undo

Google Brain Co-Founder Andrew Ng, Recommends: Read These 5 Books And Turn Your
Life AroundBlinkist: Andrew Ng's Reading List


Undo

Limited savings offer: the perfect gift for your savingsCA Bank
Learn More


Undo

Warehouse Inventory Management Systems and Real-Time Warehouse Tracking in the
UKWarehouse Inventory


Undo

ObviousFuture: Resident AI Transformational Tech Delivering Data
SecurityTechBullion.com


Undo




Ars Technica has been separating the signal from the noise for over 25 years.
With our unique combination of technical savvy and wide-ranging interest in the
technological arts and sciences, Ars is the trusted source in a sea of
information. After all, you don’t need to know everything, only what’s
important.



More from Ars
 * About Us
 * Staff Directory
 * Newsletters
 * Ars Videos
 * General FAQ
 * RSS Feeds

Contact
 * Contact us
 * Advertise with us
 * Reprints

Privacy Configurations
© 2024 Condé Nast. All rights reserved. Use of and/or registration on any
portion of this site constitutes acceptance of our User Agreement and Privacy
Policy and Cookie Statement and Ars Technica Addendum and Your California
Privacy Rights. Ars Technica may earn compensation on sales from links on this
site. Read our affiliate link policy. The material on this site may not be
reproduced, distributed, transmitted, cached or otherwise used, except with the
prior written permission of Condé Nast. Ad Choices
Search dialog...

Sign in dialog...
Sign in