Headline
Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT
By Deeba Ahmed Chinese state-backed hackers targeted Dutch military networks by exploiting a vulnerability in a FortiGate device. This is a post from HackRead.com Read the original post: Chinese Hackers Infiltrate Dutch Defense Networks with Coathanger RAT
The Dutch intelligence services have warned about a growing trend of threat actors targeting edge devices, such as VPNs, email servers, and firewalls, with the recent disclosure of zero-days in Ivanti VPNs providing threat actors an opportunity to infiltrate networks.
The warning comes after Dutch defence networks were infiltrated by Chinese state-backed spies using a new malware to steal sensitive information. The Military Intelligence and Security Service (MIVD) identified a China-sponsored actor as the attacker.
“MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”
Reportedly, the Chinese cyber espionage actors targeted the Dutch military by exploiting a FortiGate device flaw to remotely connect to networks. The initial intrusion began with the exploitation of CVE-2022-42475, a zero-day vulnerability that Fortinet warned was being exploited by advanced actors. After infiltration, the Chinese threat actors deployed a new “stealthy and persistent” RAT called Coathanger.
The RAT was installed on FortiGate devices using the high-impact vulnerability (CVE-2022-42475) in December 2022. The malware aimed to maintain network access, potentially using the RAT in combination with any FortiGate device vulnerability.
The actor conducted reconnaissance of the R&D network and exfiltrated the user accounts list from the Active Directory server. However, the intrusion’s impact was limited due to the targeted network’s segmentation from wider MOD networks. The Dutch military defenders foiled the cyber-espionage plot and its self-contained system did not cause any collateral damage.
Further proving revealed that the yet unpublished Coathanger malware has been specifically designed for FortiGate appliances. It is a stealthy and persistent RAT hiding through system calls and surviving reboots and firmware upgrades. This second-stage malware is named after a phrase used to encrypt disk configuration- ‘She took his coat and hung it up.’
After infecting FortiGate devices, the malware connects to a C2 server over SSL providing a BusyBox reverse shell. Any published or unpublished vulnerabilities can be exploited for initial network access, with Coathanger serving as a backdoor afterwards.
It is worth noting that the Netherlands has publicly criticized Beijing for state-sponsored hacking for the first time. The country’s Defense Minister Kajsa Ollongren emphasized the importance of publicly releasing a technical report on Chinese hackers’ methods, aiming to enhance international resilience against cyber espionage.
“For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” Ollongren said.
MIVD notified Fortinet PSIRT of the malware’s existence. To mitigate these threats, organizations should regularly perform risk analysis, limit internet access, analyze logs for anomalous activity, install vendor security updates, and replace outdated hardware and software. This will help protect against potential attacks on public internet-connected devices.
****RELATED ARTICLES****
- CIA’s 11-year old hacking campaign against China exposed
- FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet
- Chinese Spyware Found in Google Play Store Apps, 2m Downloads
- Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
- Chinese Blackwood APT Deploys NSPX30 Backdoor in Cyberespionage
Related news
The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet, Ivanti, and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available
Fortinet has disclosed a new critical security flaw in FortiOS SSL VPN that it said is likely being exploited in the wild. The vulnerability, CVE-2024-21762 (CVSS score: 9.6), allows for the execution of arbitrary code and commands. "A out-of-bounds write vulnerability [CWE-787] in FortiOS may allow a remote unauthenticated attacker to execute arbitrary code or command via specially
Chinese state-backed hackers broke into a computer network that's used by the Dutch armed forces by targeting Fortinet FortiGate devices. "This [computer network] was used for unclassified research and development (R&D)," the Dutch Military Intelligence and Security Service (MIVD) said in a statement. "Because this system was self-contained, it did not lead to any damage to the
Fortinet on Monday disclosed that a newly patched critical flaw impacting FortiOS and FortiProxy may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. The vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), concerns a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Government entities and large organizations have been targeted by an unknown threat actor by exploiting a security flaw in Fortinet FortiOS software to result in data loss and OS and file corruption. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers Guillaume Lovet and Alex Kong said in an
By Deeba Ahmed Chinese hackers are exploiting a previously patched vulnerability found in Fortinet FortiOS SSL-VPN by using new malware called BOLDMOVE. This is a post from HackRead.com Read the original post: Backdoor into FortiOS: Chinese Threat Actors Utilize 0-Day
A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa. Telemetry evidence gathered by Google-owned Mandiant indicates that the exploitation occurred as early as October 2022, at least nearly two months before fixes were
The "BoldMove" backdoor demonstrates a high level of knowledge of FortiOS, according to Mandiant researchers, who said the attacker appears to be based out of China.
A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations. "The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," Fortinet researchers said in a post-mortem analysis published this week. The
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.