Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network

By neub9
3 Min Read

Feb 07, 2024


Cyber Espionage / Network Security

Chinese state-backed hackers breached the Dutch armed forces’ computer network by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) stated.
“Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which occurred in 2023, exploited a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw enabled the deployment of a backdoor dubbed COATHANGER from an actor-controlled server, designed to grant persistent remote access to the compromised appliances.

The Dutch National Cyber Security Centre (NCSC) said, “The COATHANGER malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that exploited CVE-2022-42475 in attacks targeting a European government entity and a managed service provider (MSP) in Africa as early as October 2022.

This development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also comes after U.S. authorities dismantled a botnet comprising out-of-date Cisco and NetGear routers used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *