Chinese Hackers Exploited Fortinet zero-day Flaw to hack networks


Chinese state-sponsored hackers exploited a zero-day vulnerability (CVE-2022-42475) in Fortinet’s virtual private network to gain unauthorized access to the Dutch defense networks. The hackers then deployed COATHANGER malware, a sophisticated tool to establish persistence.

The Dutch Ministry of Defence reported that their internal computer network was breached by hackers last year. The nature and extent of the breach have not yet been disclosed.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .


According to the Military Intelligence and Security Service and General Intelligence and Security Service, the hacking incident was caused by Chinese state actors with high certainty. The threat actor conducted network surveillance and retrieved a list of user accounts from the Active Directory server.

Fortinet issued a critical advisory in December 2022, warning of a zero-day vulnerability being exploited by an “advanced actor” in attacks on “governmental or government-related targets.”

The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have conducted an assessment indicating that the malicious activity was carried out by a state-sponsored entity from the People’s Republic of China, with a high level of confidence.

Malware Deployed to FortiGate Devices

During the first stage, hackers from China searched for internet-facing devices with 0-day vulnerabilities through scanning.

The hackers utilized the vulnerability to deploy COATHANGER malware, which enabled them to establish persistence within the victim network.

The malware helps establish a persistent connection and can recover after every reboot and even after the firmware upgrade.

After the intrusion, the attacker monitored the R&D network and stole a list of user accounts from the Active Directory server.

Defense Minister Kajsa Ollongren said: “For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China. In this way we increase international resilience against this type of cyber espionage.”

The Netherlands’ Joint Signal Cyber Unit has shared a list of indicators of compromise in the report.

US officials dismantled a botnet of outdated Cisco and NetGear routers used by Chinese threat actors, like Volt Typhoon, to conceal malicious traffic origins.



Source link