A joint effort by NCSC, MIVD, and AIVD uncovered a Chinese cyber espionage campaign leveraging the novel COATHANGER malware to exploit a vulnerability in Fortinet’s FortiGate firewalls.
Further investigation by MIVD revealed a significantly larger campaign scope than initially believed, and in response, NCSC has published a knowledge product that delves into the security challenges posed by edge devices and offers mitigation strategies.
The development underscores a critical evolution in cyberattacks, where threat actors are increasingly targeting publicly accessible edge devices to gain persistent access to networks.
Dutch intelligence (MIVD) investigations following the February COATHANGER vulnerability disclosure revealed a wider Chinese cyber espionage campaign, where the attacker exploited the CVE-2022-42475 vulnerability in Fortinet’s FortiGate systems, compromising at least 20,000 devices globally between 2022 and 2023.
The attacker possessed a two-month zero-day window before the public announcement, infecting 14,000 systems during this period. Targets spanned dozens of Western governments, international organizations, and defense industry companies.
State actors deployed COATHANGER malware to establish persistent access to targeted systems, which bypasses security updates, allowing continued access even after patching with FortiGate solutions.
The widespread nature of the threat is cause for concern, as Dutch intelligence and the National Crime and Security Commission (NCSC) estimate that there could be hundreds of potential victims across the world.
Difficulty in detection and removal due to the malware’s nature further complicates the issue, which believes the state actor retains access to a significant number of compromised systems, highlighting the need for heightened vigilance.
Intelligence services are raising awareness about the growing exploitation of vulnerabilities in publicly accessible edge devices like firewalls and VPN servers.
These devices, positioned at the network perimeter with direct internet connections, are attractive targets for attackers due to a lack of robust security features and limited EDR protection, highlighting the critical need for improved security practices specifically designed to safeguard edge devices.
Zero-day vulnerabilities make initial network breaches difficult to prevent, where organizations should adopt an “assume breach” mentality, assuming a successful attack has already or will soon occur, which necessitates mitigation strategies to limit damage.
The strategies include network segmentation to isolate compromised areas, intrusion detection systems to identify suspicious activity, incident response plans for swift containment and recovery, and forensic readiness to gather evidence for investigation and potential legal action.
The NCSC’s “Dealing with Edge Devices” resource offers further guidance on securing these increasingly prevalent network components.
Also Read: