Chinese state-backed hackers targeted and broke into a computer network used by the Dutch armed forces by exploiting a security flaw in Fortinet FortiGate devices. The network, used for unclassified research and development, had less than 50 users and did not lead to any damage to the defense network. The hackers used a known critical security flaw in FortiOS SSL-VPN to execute arbitrary code and deploy a backdoor called COATHANGER, which grants persistent remote access to the compromised appliances. This is the first time the Netherlands has publicly attributed a cyber espionage campaign to China.
The COATHANGER malware is stealthy and persistent, hiding itself by hooking system calls and surviving reboots and firmware upgrades. It is distinct from another backdoor called BOLDMOVE, which has also exploited the same security flaw in attacks targeting a European government entity and a managed service provider in Africa. The malware is named after a code snippet that contained a line from a Roald Dahl short story.
This incident comes shortly after US authorities took action to dismantle a botnet used by Chinese threat actors to conceal the origins of malicious traffic. Last year, it was revealed that a China-nexus cyber espionage group exploited zero-day vulnerabilities in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands and exfiltrating sensitive data.
The article concludes by inviting readers to follow the publication on Twitter and LinkedIn for more exclusive content.
Source link