Chinese hackers breached a computer network used by the Dutch military forces to target Fortinet FortiGate devices.
According to a statement from the Dutch Military Intelligence and Security Service (MIVD), "This computer network was used for unclassified research and development (R&D). Because this system was self-contained, it did not cause any damage to the defense network." "The network had fewer than 50 users."
The 2023 attack exploited a known major security weakness in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3). It enables an unauthenticated attacker to run arbitrary code via carefully crafted requests.
Successful exploitation of the bug starts the process of delivering a backdoor called COATHANGER from an actor-controlled server. It is intended to provide persistent remote access to hacked equipment.
The Dutch National Cyber Security Centre (NCSC) stated that "the COATHANGER malware is stealthy and persistent." It conceals itself by intercepting system calls that would betray its presence. It can withstand reboots and firmware upgrades.
COATHANGER is separate from BOLDMOVE. Another backdoor has been traced to a potential threat actor headquartered in China. This attacker is known to have used CVE-2022-42475 as a zero-day attack. As a result, in October 2022, it targeted a European government body and an African-based managed service provider (MSP).
It was the first time the Netherlands openly ascribed a cyber espionage effort to China. Reuters broke the story, stating that the ransomware is named after a code piece. It included a passage from British author Roald Dahl's short novel "Lamb to the Slaughter."
It also arrived late, when US officials began dismantling a botnet made up of outdated Cisco and NetGear routers. These devices were utilized by Chinese threat actors such as the Volt Typhoon to hide the source of harmful communications.
Last year, Google-owned Mandiant exposed the existence of a China-linked cyber espionage outfit known as UNC3886. Later, it used zero-day vulnerabilities in Fortinet equipment to deliver the THINCRUST and CASTLETAP implants. This allows them to execute arbitrary commands previously received from a remote server and exfiltrate sensitive data.