At the beginning of 2024, there were reports of Chinese threat actors targeting FortiGate systems with COATHANGER malware.
However, it has been discovered that the Chinese cyber espionage campaign had much more extensive capabilities than before.
The Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) have released a security advisory stating that Chinese state actors have been abusing vulnerabilities in edge devices to gain additional capabilities and activities.
According to the reports shared with Cyber Security News, the COATHANGER malware campaign was further investigated, which revealed that the threat actor had gained access to at least 20,000 FortiGate systems worldwide, including dozens of governments, international organizations, and a large number of companies within the defense industry.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
The threat actor infiltrated these devices in just a few months in 2022 and 2023 via the CVE-2022-42475 vulnerability.
Further, it has been found that the threat actor knew about this vulnerability for at least two months before its disclosure.
During this zero-day period, the threat actor has infected malware in over 14,000 devices.
It is still unknown how many targets are affected to date.
In addition, even if a victim of this campaign tries to install security updates on the FortiGate systems, the threat actor still has access to them.
This concluded that the Chinese nation-state actor still has access to a large number of victim systems.
To mitigate this threat actor, the NCSC (Nationaal Cyber Security Centrum) has recommended that organizations apply the “assume breach” principle, which gives the impression that there has already been a breach.
Additionally, multiple mitigation measures such as segmentation, detection, incident response plans, and forensic readiness can be taken to limit the damage and impact.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo
A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively…
Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram…
A recently discovered Python script has been flagged as a potential cybersecurity threat due to…
A website launched by Elon Musk's Department of Government Efficiency (DOGE) has been found to…
The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked…
Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity…