China-Backed Cyber Attackers Breach 20,000 Fortinet Systems

State-sponsored cyber attackers supported by China compromised 20,000 Fortinet FortiGate systems worldwide between 2022 and 2023 by exploiting a known critical security flaw. 

This operation revealed a more extensive impact than initially anticipated.

Targeted Entities and Impact

This campaign focused on numerous Western governments, international organizations, and many defense industry companies. However, the specific entities targeted have not been disclosed.

"The state actor behind this campaign was aware of this vulnerability in FortiGate systems at least two months before Fortinet disclosed it," stated the Dutch National Cyber Security Centre (NCSC) in a recent bulletin. 

"During this so-called zero-day period, the actor infected 14,000 devices."

These findings build on a previous advisory from February 2024, which reported that attackers had compromised a computer network used by the Dutch armed forces by exploiting CVE-2022-42475 (CVSS score: 9.8). This vulnerability allows for remote code execution.

Hidden Backdoors Planted! 

The intrusion facilitated the deployment of a backdoor named COATHANGER from a server controlled by the attackers. This backdoor was designed to provide ongoing remote access to the compromised systems and serve as a platform for additional malware.

The NCSC noted that the adversary installed the malware long after gaining initial access to maintain control over the devices, although the number of victims with infected devices remains unclear.

2/ A good example I always mention is the leak of the Fortinet VPN credentials.

Although many companies knew they were vulnerable at the time of this breach and patched their systems, many neglected to change the passwords. pic.twitter.com/LzhAN5nhqa

— Stephan Berger (@malmoeb) July 1, 2022

Beyond the Firewall: Why Edge Devices Are Vulnerable

This latest development highlights the persistent trend of cyber attacks targeting edge appliances to infiltrate high-value networks.

"Due to the security challenges of edge devices, these devices are a popular target for malicious actors," the NCSC explained. 

"Edge devices are located at the perimeter of the IT network and often have a direct internet connection. Additionally, Endpoint Detection and Response (EDR) solutions frequently do not support these devices."

In other news, today Lockbit ransomware group posted that someone is conducting a Denial of Service attack via Friend Request's on Tox.

They've allegedly received 200,000 Friend Requests

Neat pic.twitter.com/jlZy631BEs

— vx-underground (@vxunderground) June 11, 2024

Don’t Be a Target! 

Robust cybersecurity is urgently needed, especially for edge devices. While organizations work to patch vulnerabilities, individuals must also take responsibility for their digital privacy.

Regular software updates, strong passwords, and vigilance against phishing are essential practices. Multi-factor authentication and data encryption offer additional protection. Plus, use a reliable privacy management application to prioritize your privacy.