On February 4, 2024, the Dutch Military Intelligence and Security Service (MIVD) uncovered a significant cybersecurity threat that sent shockwaves through the digital security community. In a detailed article, they exposed a newly discovered remote access trojan (RAT) dubbed ‘COATHANGER,’ developed by state-backed Chinese hackers. This malware poses a substantial risk to FortiGate appliances, exploiting a specific vulnerability and demonstrating an alarming level of persistence, even through firmware upgrades.
One key fact to note is the vulnerability that made COATHANGER possible was discovered, and its patch released, in late 2022. So, how did this happen? What are the risks associated with it, and how can you prevent tomorrow’s COATHANGER RAT today?
The FortiGate CVE-2022-42475 Vulnerability
Almost on cue, this week Fortinet has released new Firmware patches for FortiOS 6.2.x, 6.4.x, 7.0.x, 7.2.x & 7.4.x. The other shoe dropped yesterday evening (02/8/2024). Fortinet published two advisories (FG-IR-24-015 & FG-IR-24-029). The CVSSv3 score for these are 9.6 and 9.8 respectively. As they allow an unauthenticated user to run arbitrary code, they should be considered Critical – or in the words of Michael Scott, “DEFCON 20!”
COATHANGER gains its initial access by exploiting a vulnerability identified as CVE-2022-42475. This flaw provides the perfect entry point for threat actors, allowing them to install the malicious software on the FortiGate appliance without detection. Once inside, the malware opens the door for complete access by the attackers, putting sensitive information and network security at grave risk.
What sets COATHANGER apart from other cyber threats is its ability to SURVIVE FIRMWARE UPDATES. Typically, organizations rely on regular firmware updates to patch vulnerabilities and enhance their system’s security. However, COATHANGER seems to thwart this common defense mechanism, emphasizing the sophistication of the Chinese state-backed hackers behind its creation.
FortiGate COATHANGER Challenges And Solutions
COATHANGER Removal Challenges
The situation becomes more serious due to the challenge of removing COATHANGER once it gets into a FortiGate appliance. The MIVD report suggests the only effective method is a complete format of the FortiGate’s hard drive, followed by reinstalling the FortiOS. This highlights the urgency for immediate action to minimize the threat’s impact.
Permanent Fix
Apply the Latest Firmware – The most effective way to secure your FortiGate appliance is to apply the latest firmware updates provided by Fortinet. This ensures that your system is equipped with the necessary patches and enhancements to prevent COATHANGER and similar threats. It is crucial to communicate the urgency of these updates to your leadership, as they play a pivotal role in maintaining the security posture of your network.
Workarounds For Emergency Situations
If you cannot convince your leadership to allow emergency patching, Fortinet has suggested the following workarounds:
- For FG-IR-24-015: Disable SSLVPN entirely. This proactive step is crucial, especially considering that this vulnerability is already being exploited in the wild.
- For FG-IR-24-029: disable FortiManager access on the public interface (FortiManager will no longer be able to discover the firewall, but connections from FortiGates to FortiManager will still work).
MIVD’s COATHANGER Investigation, Resources, And Future Expectations
For those interested in diving deeper into the technical aspects, the MIVD’s detailed write-up on COATHANGER provides valuable insights (translation may be required). Additionally, a Python script has been shared for checking Indicators of Compromise (IOCs). It’s important to note that, as of now, the script is limited to offline forensic disk images. However, there are ongoing efforts, evident from the script’s Github page, to update it for live system detection – a crucial step in addressing the threat in real-time.
In the wake of this revelation, the cybersecurity community is on high alert, collaborating to find ways to counteract COATHANGER’s threat effectively. The ongoing development of the IOCs script for live system detection is a promising sign, and stakeholders are hopeful that a solution will be available soon.
Conclusion
COATHANGER’s emergence as a persistent RAT targeting FortiGate appliances raises concerns about the evolving landscape of cyber threats. Organizations must remain vigilant, prioritize security protocols, and stay informed about the latest developments in the cybersecurity realm. Contact us today to learn more about how to mitigate this threat and better protect your business from future cybersecurity threats.
If you’d like to learn more about the COATHANGER cybersecurity threat and protecting your FortiGate appliances, please contact us by calling (502) 240-0404 or emailing info@mirazon.com