China State Hackers Infected 20,000 Fortinet VPNs, Dutch Spy Service Says (arstechnica.com) 30
An anonymous reader quotes a report from Ars Technica: Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said. The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an "instance where this vulnerability was exploited in the wild." On January 11, 2023 -- more than six weeks after the vulnerability was fixed -- Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware. Netherlands government officials wrote in Monday's report: Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.
The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access. It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.
The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access. It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.
Re: The Dutch again? (Score:1)
Re: (Score:2)
Wow, congratulations on getting that take completely wrong. You've shot the messenger.
Fortinet is a Californian company. The Dutch report is about research into ongoing world-wide exploitation. Fortinet products have been used in critical infrastructure around the globe, including water, oil and gas pipelines in the US. This is not an issue to take lightly.
bias? (Score:1)
negative tone of article saying Fortinet didn't mention until a mere 2 weeks later after fix is a laugh, that's stellar compared to most network gear vendors like say the slackers at cisco
Re: (Score:2)
That's what Fortinet said, but given the timing it's most likely they found it from a trace from an active exploitation to begin with.
Re: (Score:1)
who gives a shit? that's stellar response time, cisco goes years
New update on old news (Score:3)
This is a current report on an event from 2022/2023. Just in case anybody saw the title and thought they needed to get patching and investigate whether they had been hit.
Re: (Score:3)
I think the interesting thing to note here is the pattern. the FortiSSL has been targeted several times with multiple successful root level compromises, ON A SECURITY APPLIANCE.
Why the heck is a VPN tunnel allowed to compromise the entire system? shouldnt this be sandboxed or the like?
Re:New update on old news (Score:4, Informative)
Fortinet had another zero-day internet facing issue, whereby anyone with access to the system management page (thankfully IP restricted in our deployment but open to the world by default) could gain root access to the device. No user/pass required. Contemplate that for a few moments. This is a security company that can't present a simple logon webpage without it being pwned.
I could give you a wall of text on how shitty their support process is too (tl;dr 20+ hours on the phone to get warranty honored on switch with dead ports) but really, the above is ample reason not to use them. By my count, we're up to five internet facing zero day exploits in the last 24 months.
We inherited ours from a now fired MSP and I cannot wait for our rip and replace project. They are absolute garbage.
Re: (Score:2)
Yeah, whenever I see these reports I cringe a little because this is the company my university chose to depend on for several different security products.
Re: (Score:2)
I'm not at liberty to disclose who, but a friend of mine works for a large public university, and they were on the receiving end of a ransomware attack that was ultimately traced back to their Fortinet VPN appliance. Windows was the final failure point but the bad guys never would have gotten in without the initial Fortinet failure. You can probably find out whom if you work in academia and gods willing use it as leverage to get onto any other stack.
Re: (Score:2)
Fortinet is giving up on SSL VPN. The replacement is proper IPSEC VPN, with a tiny web frontend to do SAML authentication.
Or Zero Trust, which is a sort of fancy port redirection that isn't technically VPN.
Every other SSL VPN vendor has been hit by similar vulnerabilities. SSL VPN is a fundamentally flawed idea.
Re: (Score:2)
When the point of it is to allow access into your network, how do you sandbox it?
come at me brotheru (Score:1)
i get pinged for about 3 minutes by 2 chinese ips every couple of months... i also run a vpn. coincidence?
Re: (Score:1)
Re: (Score:2)
Probably. I have something like 50 concurrent scans running every moment on my public facing network interface.
Re: come at me brotheru (Score:1)
My firewall drops all incoming from all known Chinese (and Russian) IP blocks. Helps with the constant scans.
Re: (Score:2)
I have stopped caring. Attacks will come from all directions and I do not log scans anyways.
Re: (Score:1)
this is on top of the ambient background level of scanning that goes on for any given server
Re: (Score:2)
Even if, still does not matter.
And that crap should make them liable (Score:2)
Yes, giving out details can be delayed, but if you know and have a patch, not giving all customers an immediate "Critical vulnerability found, update now!" message should count at the very least as gross negligence.
Rust is decades late (Score:2)
It should have been obvious that using C for these kind of systems was stupid decades ago ... but I guess NSA liked having easy exploits, so they never bothered to push for something more secure until the Chinese got as good or better than them at using them.
Re: (Score:2)
A good portion of the various SSL VPN vulnerabilities across vendors have been path traversal bugs or similar, not memory overruns. While I agree that it is stupid to write web code in C, Rust would only have saved us from some of the vulnerabilities. Which is better than nothing, of course.
Re: (Score:2)
Not allowing web interface access from outside alleviates that. Add a vlan hurdle and that's two hurdles to jump to get to http on the VPN appliance.
The VPN should be usable as a relatively trustworthy first line of defence with small attack surface, if the user wants to open up a larger attack surface that's on them ... but with C the VPN is not trustworthy to begin with.
Re: (Score:2)
Not allowing web interface access from outside alleviates that.
Yes, blocking SSL connections to the SSL VPN server will alleviate all concerns. The server will not be very useful afterwards.
Add a vlan hurdle and that's two hurdles to jump to get to http on the VPN appliance.
Riiiiight.
Re: (Score:2)
With web interface I mean an admin interface, like say aCSHELL
If the SSL VPN allows just authentication, there are no paths to get confused about. Say CVE-2024-24919 happened because it allowed far more than that, without authentication. When that is done as undeclared functionality that's not a path traversal bug, it's leaving in a poorly secured backdoor.
Vendors should be forced to post patches (Score:2)
Patches for all supported versions should be made available free of charge. A security vulnerability should be the equivalent of a recall of a car. Fix it or buy it back, for a reasonable amount of years after the sale. Support contract or not.