Chinese state -backed hackers broke into a computer network, which is used by the Dutch armed forces by targeting Fortinet FortiGate devices.
The Dutch Military Intelligence and Security Service (MIVD) said in a statement, “This [computer network] was used for uninterrupted research and development (R&D).” “Because this system was self-contained, it did not harm the defense network.” There were less than 50 users in the network.
The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.
The successful exploitation of the defect paved the route for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server, designed to give frequent remote access to compromised equipment.
The Dutch National Cyber Security Center (NCSC) said, “COATHANGER Malware is secret and frequent.” “This hooking system hides itself by calls that can reveal its appearance. It saves the reboot and firmware upgrade.”
COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspended China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a Managed Service Provider (MSP) Located in Africa As early as October 2022.
For the first time, the Netherlands have publicly blamed a cyber espionage campaign for China. Reuters, who broke the story, said that the malware is named after a code Snippet, with a short story of British writer Roald Dahl, a line from the Lamb to The Slaughter.
US authorities also come a few days after taking steps to end a botnet, including Cisco and Netgear Router, which were used by Chinese threat actors such as Volt Typhoon to hide the origin of malicious traffic.
Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.