The Netherlands ministry of defence just published the cliff-hanger document TLP:CLEAR MIVD AIVD Advisory COATHANGER regarding a remote access attack of their Fortinet FortiGate VPN by “a state-sponsored actor from the People’s Republic of China”. CVE-2022-42475 was the weakness. One thing that is unusual about the report is the direct attribution: this is rare.
The effects were limited because of prior
network segmentation.
Reading the lines and between the lines, the Netherlands implemented more than one control, a defence in depth strategy. This reduced the impact (or blast radius) of the attack.
One thing that stood out to me
Moreover, the infection survives firmware upgrades. Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.
This is dangerous, a lot of companies will apply the upgrades, thinking they are now protected, but could remain vulnerable.
The document then goes into some detail about the various libraries affected, how the malware hides itself, how it sets up its command and control
A bastion device like a VPN or firewall is particularly complex to secure. By nature of its job, it has both outside and inside access. The comment in the document about ‘prior network segmentation’ is your clue to how to reduce the impact. And, there is no better network segmentation than Zero Trust. In “Industrial Zero-Trust Micro-Segmentation” I wrote about some techniques, including the use of Private VLAN, that can be coupled with a Zero Trust platform like Agilicus AnyX to provide layers of defence in depth.