Chinese hackers breached firewalls at dozens of western government agencies, companies and research organizations, using a firewall vulnerability that wasn’t disclosed until several months after the attacks had already begun. What’s more, the malware used is designed to stay in the compromised system, even after firmware and security updates are added.
TL/DR
- Over 20,000 Fortigate Firewalls were found to have been compromised by hackers beginning sometime in 2022 and continuing through 2023.
- Fortigate firewalls are a popular line of firewalls produced by Fortinet, one of the leading security hardware vendors globally.
- According to Dutch security forces, who first caught the breach, evidence shows that the Chinese were accessing compromised systems globally for ‘at least’ several months prior to disclosure of the vulnerability that was exploited.
More Details
- The vulnerability is a Remote-Code Exploitation (RCE) vulnerability that, once exploited, grants root access to the device in question – more details provided in CVE-2022-42475
- Previously exploited targets include dozens of western governments, large corporations and research organizations.
- The malware used was the Coathanger remote-access tool (RAT), and is capable of surviving firmware updates and security patches.
- It’s believed that many agencies and companies likely still have this malware in their environments, because it’s designed to not be found, intercepting system calls and other queries to hide it’s presence.
Links
