Chinese hackers exploited a FortiGate vulnerability, breaching 20,000 systems globally, impacting governments and defense sectors with persistent malware.

Continue reading
In early 2024, the Dutch Military Intelligence and Security Service (MIVD) issued a stark warning regarding a large-scale cyber-espionage campaign orchestrated by Chinese state-sponsored hackers.
This campaign, exploiting a zero-day vulnerability in Fortinet’s FortiGate systems, has had a profound impact on global cybersecurity, affecting thousands of systems worldwide. This detailed analysis examines the technical nuances, implications, and strategies employed in this sophisticated attack.
The vulnerability in question, CVE-2022-42475, is a critical remote code execution flaw found in FortiOS and FortiProxy. Discovered in 2022, this zero-day exploit allowed attackers to deploy malware on FortiGate network security appliances, compromising their integrity and security.
Key Points:
The breach was initially uncovered by MIVD and the General Intelligence and Security Service (AIVD) in a joint report in February 2023. It was revealed that over a span of a few months, the Chinese hacking group had infected approximately 14,000 devices. These targets included Western governments, international organizations, and companies within the defense sector.
The attackers exploited CVE-2022-42475 to gain remote code execution on vulnerable FortiGate systems. The exploit allowed them to bypass security measures and deploy the Coathanger malware.
Attack Vector:
The Coathanger RAT is a sophisticated piece of malware designed to maintain persistent access to compromised systems. It achieves this by intercepting system calls and embedding itself in a manner that resists detection and removal.
Features:
Below is an instance of how the Coathanger RAT might intercept system calls:
// Example of system call interception by Coathanger
#include <stdio.h>
#include <stdlib.h>
#include <dlfcn.h>
static int (*original_open)(const char *pathname, int flags, mode_t mode);
int open(const char *pathname, int flags, mode_t mode) {
// Check for specific file accesses
if (strstr(pathname, "sensitive_file")) {
// Hide presence by redirecting to a benign file
pathname = "/dev/null";
}
return original_open(pathname, flags, mode);
}
__attribute__((constructor))
void init() {
original_open = dlsym(RTLD_NEXT, "open");
}This snippet illustrates a method of intercepting the `open` system call to redirect accesses to sensitive files, thereby hiding malicious activity.
The breach’s impact on governments and defense sectors is significant. Compromised systems within these sectors can lead to severe consequences, including the theft of sensitive data and intellectual property. The infiltration of a Dutch Ministry of Defence network highlights the targeted nature of this campaign.
The campaign underscores a broader strategy of cyber-espionage conducted by state-sponsored actors. By targeting critical infrastructure and defense sectors, the attackers aim to gain strategic advantages on the global stage.
Case Study:
Detecting and removing the Coathanger RAT is challenging due to its stealth and persistence mechanisms. Traditional antivirus and anti-malware solutions may fail to detect it. Advanced techniques such as behavioral analysis and system integrity checks are required.
Fortinet released patches to address CVE-2022-42475. However, due to the malware’s persistence, merely applying patches is insufficient. Comprehensive system audits and manual removal processes are necessary.
Example Mitigation Steps:

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.