Chinese Coathanger malware hung out to dry by Dutch defense department

Trending 3 weeks ago

Dutch authorities are lifting nan curtain connected an attempted cyberattack past twelvemonth astatine its Ministry of Defense (MoD), blaming Chinese state-sponsored attackers for nan espionage-focused intrusion.

Specialists from nan Netherlands' Military Intelligence and Security Service (MIVD) and nan General Intelligence and Security Service (AIVD) were called successful to analyse an intrusion astatine an MOD web past year, uncovering a antecedently unseen malware they're calling Coathanger.

The name, authorities said, was conjured up based connected nan "peculiar phrase" displayed by nan malware erstwhile encrypting nan configuration connected disk: "She took his overgarment and hung it up."

A heavy dive into Coathanger's codification revealed nan distant entree trojan (RAT) was purpose-built for Fortinet's FortiGate next-generation firewalls (NGFWs) and nan first entree to nan MoD's web was gained done exploiting CVE-2022-42475.

According to nan MIVD and AIVD, nan RAT operates extracurricular of accepted discovery measures and acts arsenic a second-stage malware, chiefly to found persistent entree for attackers, surviving reboots and firmware upgrades.

Even afloat patched FortiGate devices could still person Coathanger installed if they were compromised earlier upgrading.

In nan cybersecurity advisory published today, authorities said nan malware was highly stealthy and difficult to observe utilizing default FortiGate CLI commands, since Coathanger hooks astir strategy calls that could place it arsenic malicious.

They besides made clear that Coathanger is decidedly different from BOLDMOVE, different RAT targeting FortiGate appliances.

"For nan first time, nan MIVD has chosen to make nationalist a method study connected nan moving methods of Chinese hackers. It is important to property specified espionage activities by China," said defense curate Kajsa Ollongren successful an automatically translated statement. "In this way, we summation world resilience against this type of cyber espionage."

The advisory besides noted that Dutch authorities had antecedently spotted Coathanger coming connected different victims' networks too, anterior to nan incident astatine nan MOD.

As for attribution, MIVD and AIVD said they tin pin Coathanger to Chinese state-sponsored attackers pinch "high confidence." 

"MIVD and AIVD stress that this incident does not guidelines connected its own, but is portion of a wider inclination of Chinese governmental espionage against nan Netherlands and its allies," nan advisory reads.

  • Where there's a will, there's a measurement to get US chips into China
  • China 'readies production' of homegrown high-bandwidth memory
  • Uncle Sam designates much Chinese tech slingers arsenic subject collaborators
  • Congress told really Chinese goons scheme to incite 'societal chaos' successful nan US

The attackers responsible for nan onslaught were known for conducting "wide and opportunistic" scans for exposed FortiGate appliances susceptible to CVE-2022-42475 and past exploiting it utilizing an obfuscated connection.

After gaining an first foothold wrong nan network, which was utilized by nan MOD's investigation and improvement division, nan attackers performed reconnaissance and stole a database of personification accounts from nan Active Directory server.

Not overmuch other was said astir nan attacker's activity, different than nan truth that nan wide effect of nan intrusion was constricted acknowledgment to nan MOD's web segmentation.

For those worried astir whether Chinese cyberspies are lurking successful their firewall, nan Joint Signal Cyber Unit of nan Netherlands (JCSU-NL) published a afloat database of indicators of discuss (IOCs) and various discovery methods connected its GitHub page.

The postulation of materials includes YARA rules, a JA3 hash, CLI commands, record checksums, and more. The authorities said each discovery method should beryllium seen arsenic independent and utilized together since immoderate attraction connected wide IOCs and others were developed to spot Coathanger activity specifically.

If location is grounds of compromise, it's imaginable different hosts that are reachable by nan FortiGate instrumentality are besides compromised. There is besides an accrued likelihood that attackers whitethorn execute hands-on-keyboard attacks.

Affected users should isolate their instrumentality immediately, cod and reappraisal logs, and see calling successful third-party integer forensics specialists, nan advisory reads. Victims should besides pass their country's cybersecurity authority: NCSC, CISA, etc.

The only measurement to region Coathanger from an infected instrumentality is to wholly reformat nan device, earlier reinstalling and reconfiguring it.

Whiffs of China's engagement successful CVE-2022-42475 exploits person long been suspected, but for nan first clip they're confirmed today.

First disclosed successful December 2022, a period later Fortinet said it was alert that nan vulnerability was tied to nan breach of a authorities aliases government-related statement that had been infected pinch custom-made malware.

At nan time, nary fingers were officially pointed different than nan truth that this civilization malware was compiled connected a instrumentality successful nan UTC+8 timezone, truthful realistically it was astir apt going to beryllium either China aliases Russia.

China was besides accused of being down exploits of abstracted Fortinet bug successful March, again utilizing bespoke malware for nan purposes of cyber espionage. ®