The Dutch intelligence services have warned about a growing trend of threat actors targeting edge devices, such as VPNs, email servers, and firewalls, with the recent disclosure of zero-days in Ivanti VPNs providing threat actors an opportunity to infiltrate networks.
The warning comes after Dutch defence networks were infiltrated by Chinese state-backed spies using a new malware to steal sensitive information. The Military Intelligence and Security Service (MIVD) identified a China-sponsored actor as the attacker.
“MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”
Reportedly, the Chinese cyber espionage actors targeted the Dutch military by exploiting a FortiGate device flaw to remotely connect to networks. The initial intrusion began with the exploitation of CVE-2022-42475, a zero-day vulnerability that Fortinet warned was being exploited by advanced actors. After infiltration, the Chinese threat actors deployed a new “stealthy and persistent” RAT called Coathanger.
The RAT was installed on FortiGate devices using the high-impact vulnerability (CVE-2022-42475) in December 2022. The malware aimed to maintain network access, potentially using the RAT in combination with any FortiGate device vulnerability.
The actor conducted reconnaissance of the R&D network and exfiltrated the user accounts list from the Active Directory server. However, the intrusion’s impact was limited due to the targeted network’s segmentation from wider MOD networks. The Dutch military defenders foiled the cyber-espionage plot and its self-contained system did not cause any collateral damage.
Further proving revealed that the yet unpublished Coathanger malware has been specifically designed for FortiGate appliances. It is a stealthy and persistent RAT hiding through system calls and surviving reboots and firmware upgrades. This second-stage malware is named after a phrase used to encrypt disk configuration- ‘She took his coat and hung it up.’
After infecting FortiGate devices, the malware connects to a C2 server over SSL providing a BusyBox reverse shell. Any published or unpublished vulnerabilities can be exploited for initial network access, with Coathanger serving as a backdoor afterwards.
It is worth noting that the Netherlands has publicly criticized Beijing for state-sponsored hacking for the first time. The country’s Defense Minister Kajsa Ollongren emphasized the importance of publicly releasing a technical report on Chinese hackers’ methods, aiming to enhance international resilience against cyber espionage.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” Ollongren said.
MIVD notified Fortinet PSIRT of the malware’s existence. To mitigate these threats, organizations should regularly perform risk analysis, limit internet access, analyze logs for anomalous activity, install vendor security updates, and replace outdated hardware and software. This will help protect against potential attacks on public internet-connected devices.
- CIA’s 11-year old hacking campaign against China exposed
- FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet
- Chinese Spyware Found in Google Play Store Apps, 2m Downloads
- Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
- Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage