Published in News

Dutch spooks warn about Fortinet VPN hack

by on13 June 2024

Some users might still be vulnerable

Cyber attackers, believed to be working for the Chinese government, breached over 20,000 VPN devices sold by Fortinet by exploiting a critical vulnerability that remained undisclosed by the company for a fortnight post-repair.

According to Dutch spooks, the flaw, identified as CVE-2022-42475, is a heap-based buffer overflow that permits remote execution of malevolent code and is rated 9.8 out of 10 in terms of severity.

Fortinet, a network security software developer, covertly rectified the vulnerability on 28 November 2022 but did not acknowledge the risk until 12 December that year, when it recognised an “instance where this vulnerability was exploited in the wild.

On 11 January 2023, over six weeks after the fix, Fortinet alerted that a threat actor was using the vulnerability to disseminate advanced, bespoke malware among government and related entities.

Dutch officials reported that after February’s disclosure, the MIVD has delved further into the expansive Chinese cyber espionage operation. It emerged that a state-sponsored actor accessed a minimum of 20,000 FortiGate systems globally in a matter of months during 2022 and 2023 via the CVE-2022-42475 vulnerability.

It was discovered that this state-sponsored entity was cognisant of the FortiGate systems’ flaw at least two months prior to Fortinet’s announcement. Throughout this ‘zero-day’ interval, the actor solely infected 14,000 devices. The victims spanned numerous (Western) governments, international bodies, and a plethora of defence industry corporations.

Subsequently, the state-sponsored actor installed malware on pertinent targets, securing enduring access to the systems. Even subsequent to the installation of FortiGate’s security updates by victims, the actor maintained access. The exact number of victims with malware installations remains uncertain.

The Dutch intelligence and the NCSC deem it probable that the state-sponsored actor might extend its reach to hundreds of victims globally and undertake further exploits like data theft.

Despite the technical report on the COATHANGER malware, pinpointing and eradicating infections by the actor proves challenging. Hence, the NCSC and Dutch intelligence posit that it’s likely the actor still retains system access for a considerable number of victims.

Last modified on 13 June 2024
Rate this item
(0 votes)

Read more about: