A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service of the Netherlands.
Despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.
During the follow-up investigation, a previously unknown malware strain named Coathanger, a remote access trojan designed to infect Fortigate network security appliances, was also discovered on the breached network.
The malware operates stealthily and persistently, hiding itself by intercepting system calls to avoid revealing its presence.
It also persists through system reboots and firmware upgrades.
While the attacks weren't attributed to a specific threat group, MIVD linked this incident with high confidence to a Chinese state-sponsored hacking group and added that this malicious activity is part of a broader pattern of Chinese political espionage targeting the Netherlands and its allies.
The Chinese hackers deployed the Coathanger malware for cyber espionage purposes on vulnerable FortiGate firewalls they compromised by exploiting the CVE-2022-42475 FortiOS SSL-VPN vulnerability.
CVE-2022-42475 was also exploited as a zero-day in attacks targeting government organizations and related targets, as Fortinet disclosed in January 2023.
These attacks also share many similarities with another Chinese hacking campaign that targeted unpatched SonicWall Secure Mobile Access appliances with cyber-espionage malware also designed to survive firmware upgrades.
Organizations are urged to promptly apply security patches from vendors for all internet-facing devices as soon as they become available to prevent similar attack attempts.
Microsoft: Hackers target defense firms with new FalseFont malware.
FBI disrupts Chinese botnet by wiping malware from infected routers.
Stealthy KV-botnet hijacks SOHO routers and VPN devices.
Blackwood hackers hijack WPS Office update to install malware.
Chinese hackers exploit VMware bug as zero-day for two years.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 06 Feb 2024 18:50:20 +0000