A New Threat To Edge Devices

In the digital era, the importance of cybersecurity cannot be overstated. A recent discovery by the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) underscores this fact, revealing a sophisticated malware targeting FortiGate devices. This incident not only highlights the continued interest of malicious actors in edge devices but also serves as a wake-up call for organisations to bolster their defences.

The Discovery of a New Threat

During a meticulous incident response investigation, MIVD and AIVD uncovered a Remote Access Trojan (RAT) malware designed to infiltrate FortiGate devices. Unlike conventional malware aiming for system access, this RAT seeks to maintain its presence stealthily. It exploits the CVE-2022-42475 vulnerability, identified as both highly probable and impactful by the NCSC in December 2022, for initial access.

Why Edge Devices?

Edge devices, such as firewalls, VPN, and email servers, sit at the network's perimeter, often directly connected to the internet. Their strategic position makes them prime targets for cyber-attacks. Unfortunately, these devices frequently escape the vigilance of Endpoint Detection and Response (EDR) solutions, making malicious activities hard to detect. The growing trend of exploiting vulnerabilities in these devices highlights the urgent need for enhanced security measures.

A Call to Action

The collaborative publication from MIVD and AIVD not only sheds light on the operation of this new malware but also emphasises the necessity for proactive security measures. Here are some recommendations to mitigate the risks associated with edge devices:

1. Conduct Regular Risk Analyses: Understand the vulnerabilities of your edge devices, especially when new functionalities are added.
2. Limit Internet Exposure: Disable unnecessary ports and functionalities, and ensure that management interfaces are not accessible from the internet.
3. Monitor Anomalies: Keep an eye on your logs for unusual activities, such as strange login times, unrecognised IP addresses, or unauthorised configuration changes. Ensure the integrity of these logs by storing them securely.
4. Update Religiously: Install security updates promptly upon their release and take advantage of any additional protective measures offered by vendors.
5. Phase Out Unsupported Technology: Replace outdated hardware and software that no longer receives vendor support to avoid unnecessary vulnerabilities.

Andy James had this to say "the discovery of new malware targeting FortiGate devices is a stark reminder of the evolving cyber threat landscape. Edge devices, with their critical position in network infrastructures, demand particular attention. By adopting a vigilant and proactive approach to cybersecurity, organisations can significantly reduce their vulnerability to such threats. The collaboration between MIVD, AIVD, and Nationaal Cyber Security Centrum (NCSC-NL) in bringing this issue to light not only informs but also equips us with the knowledge to defend, lets not waste that."

RESOURCES

https://custodian360.com/coathanger-a-new-threat-to-edge-devices/

https://www.ncsc.nl/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear

https://github.com/JSCU-NL/COATHANGER