Over the course of just a few months in 2022 and 2023, we now know that at least 20,000 FortiGate systems were compromised as a result of this China-linked activity, with around 14,000 being broken into during what investigators are calling a "zero-day period" - the two months before Fortinet became aware of the vulnerability.
The software flaw in question is CVE-2022-42475 - a critical (9.8) buffer overflow bug in FortiOS SSL-VPN allowing for remote code execution. Without going into specifics, the NCSC said the types of victims included "several" Western governments, international organizations, and a "large number" of defense companies.
After establishing an initial foothold in FortiGate systems, the attackers would wait to deploy the Coathanger malware - named after the "peculiar phrase" displayed during its encryption process - at a later date to establish persistent access even after updates were installed.
Dutch intelligence believes there are still a significant number of systems that remain infected and under the control of the Chinese attackers behind the campaign.
[
add
]
[
|
|
...
]