Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security China

China State Hackers Infected 20,000 Fortinet VPNs, Dutch Spy Service Says (arstechnica.com) 30

An anonymous reader quotes a report from Ars Technica: Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said. The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an "instance where this vulnerability was exploited in the wild." On January 11, 2023 -- more than six weeks after the vulnerability was fixed -- Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware. Netherlands government officials wrote in Monday's report: Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access. It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data. Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

This discussion has been archived. No new comments can be posted.

China State Hackers Infected 20,000 Fortinet VPNs, Dutch Spy Service Says

Comments Filter:
  • negative tone of article saying Fortinet didn't mention until a mere 2 weeks later after fix is a laugh, that's stellar compared to most network gear vendors like say the slackers at cisco

  • by Baron_Yam ( 643147 ) on Wednesday June 12, 2024 @09:06AM (#64543363)

    This is a current report on an event from 2022/2023. Just in case anybody saw the title and thought they needed to get patching and investigate whether they had been hit.

    • I think the interesting thing to note here is the pattern. the FortiSSL has been targeted several times with multiple successful root level compromises, ON A SECURITY APPLIANCE.

      Why the heck is a VPN tunnel allowed to compromise the entire system? shouldnt this be sandboxed or the like?

  • Comment removed based on user account deletion
    • Watchout, no joke, my air conditioner seemingly launched a deauth attack on my wireless network yesterday. At least they use an allocated MAC address instead of a random one so its easy to tell what device is causing the issue (with one of those reverse MAC lookup web tools). Strangely, the AC was able to disrupt the network for about a minute after I unplugged it, which would've made figuring out which device (in our sea of IoT) the culprit a little more difficult. Must have a beefy capacitor in it.
    • by gweihir ( 88907 )

      Probably. I have something like 50 concurrent scans running every moment on my public facing network interface.

  • Yes, giving out details can be delayed, but if you know and have a patch, not giving all customers an immediate "Critical vulnerability found, update now!" message should count at the very least as gross negligence.

  • It should have been obvious that using C for these kind of systems was stupid decades ago ... but I guess NSA liked having easy exploits, so they never bothered to push for something more secure until the Chinese got as good or better than them at using them.

    • by amorsen ( 7485 )

      A good portion of the various SSL VPN vulnerabilities across vendors have been path traversal bugs or similar, not memory overruns. While I agree that it is stupid to write web code in C, Rust would only have saved us from some of the vulnerabilities. Which is better than nothing, of course.

      • Not allowing web interface access from outside alleviates that. Add a vlan hurdle and that's two hurdles to jump to get to http on the VPN appliance.

        The VPN should be usable as a relatively trustworthy first line of defence with small attack surface, if the user wants to open up a larger attack surface that's on them ... but with C the VPN is not trustworthy to begin with.

        • by amorsen ( 7485 )

          Not allowing web interface access from outside alleviates that.

          Yes, blocking SSL connections to the SSL VPN server will alleviate all concerns. The server will not be very useful afterwards.

          Add a vlan hurdle and that's two hurdles to jump to get to http on the VPN appliance.

          Riiiiight.

          • With web interface I mean an admin interface, like say aCSHELL

            If the SSL VPN allows just authentication, there are no paths to get confused about. Say CVE-2024-24919 happened because it allowed far more than that, without authentication. When that is done as undeclared functionality that's not a path traversal bug, it's leaving in a poorly secured backdoor.

  • Patches for all supported versions should be made available free of charge. A security vulnerability should be the equivalent of a recall of a car. Fix it or buy it back, for a reasonable amount of years after the sale. Support contract or not.

As of next week, passwords will be entered in Morse code.

Working...