Chinese state-backed spies infiltrated Dutch defense networks last year and used novel malware dubbed “Coathanger” in a bid to steal sensitive information, according to the intelligence and security services of the Netherlands.
The country’s Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) revealed in a detailed report yesterday that the initial intrusion began with exploitation of CVE-2022-42475.
Fortinet published a critical advisory for the zero-day vulnerability in December 2022 and warned that it was being exploited by an “advanced actor” in attacks on “governmental or government-related targets.”
Post-exploitation, the Chinese threat actors then used a new “stealthy and persistent” remote access Trojan (RAT), dubbed Coathanger.
“It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades,” the Dutch intelligence report explained.
“MIVD & AIVD assess that use of Coathanger may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce Coathanger as a communication channel for select victims.”
The report noted that the RAT could be used in combination with any vulnerability exploited on FortiGate devices. However, this time, Dutch network defenders appear to have foiled the cyber-espionage plot.
“Post compromise, the actor conducted reconnaissance of the R&D network and exfiltrated a list of user accounts from the Active Directory server. The impact of the intrusion was limited because the victim network was segmented from the wider MOD networks,” the report revealed.
The report is the first time the Netherlands has publicly called out Beijing for state-sponsored hacking. However, the country’s tech giant ASML plays a critical role in the global supply chain for advanced chips, which has raised the profile of the small northern European nation among certain governments.
Threat Actors Hit the Edge
MIVD and AIVD claimed that the attack is illustrative of a broader trend for threat actors to target edge devices such as VPNs, email servers and firewalls, which are connected to the public internet but often not protected by endpoint detection and response (EDR) monitoring.
Recent zero-day attacks on Ivanti devices by Chinese nexus threat actors bear this point out.
The Dutch intelligence services advised organizations to mitigate edge device threats by:
- Regularly performing a risk analysis on the devices, such as when new functionality is added
- Limiting internet access by disabling unused ports and functionalities, and ensuring the management interface is not accessible from the internet
- Regularly performing analysis of logs to detect anomalous activity, including login attempts at unusual times, unknown IP addresses or unauthorized configuration changes
- Installing the latest vendor security updates as soon as they become available and switching on any security-related functionality made available by suppliers
- Replacing hardware and software that is no longer supported