Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime
Beijing Used FortiGate Vulnerability to Install Trojan
Chinese espionage hackers penetrated Dutch military systems in early 2023, using a zero-day exploit in a Fortinet virtual private network to obtain access, Netherlands intelligence agencies disclosed Tuesday.
The agencies said the effects had been limited to a segmented network that had fewer than 50 users working on unclassified research and development with two-third party institutes.
The Military Intelligence and Security Service and General Intelligence and Security Service attributed the hacking to Chinese state actors with high confidence. The threat actor conducted reconnaissance of the network and stole a list of user accounts from the Active Directory server.
The malware the hackers used to achieve persistence – it survives system reboots and firmware upgrades – appears to have been purpose-built for FortiGate appliances – virtual private network devices found to contain a zero-day that was patched in December 2022. Around that time, researchers had already warned that likely Chinese hackers exploited the flaw, tracked as CVE-2022-42475, although the Dutch advisory appears to be the first public confirmation that directly connects to Beijing (see: Fortinet VPN Flaw Shows Pitfalls of Security Appliances).
A 2022 Dutch intelligence annual threat assessment calls China “the greatest threat to the Netherlands’ economic security.” Just days ago, U.S. authorities said they had disrupted a Chinese-controlled botnet used to target critical infrastructure (see: Here’s How the FBI Stopped a Major Chinese Hacking Campaign).
Chinese penetration of the Dutch system was likely opportunistic, the agencies wrote, stating that Sino hackers scan at scale for vulnerable edge devices while introducing their bespoke backdoor to select victims.
“Chinese threat actors are known to perform wide and opportunistic scanning campaigns on internet-facing edge devices,” the Dutch NCSC said. “They do so with a high operational tempo, sometimes abusing vulnerabilities on the day they are published.”
The agencies dubbed the backdoor “Coathanger” after finding the “particular phrase that the malware used to encrypt the configuration on disk: ‘She took his coat and hung it up.’”
Because Coathanger injects a backup of itself into the process responsible for rebooting the system, even fully patched FortiGate devices may still be infected, if hackers breached them before Fortinet developed a patch. The agencies say exorcising Coathanger from an infected system requires reformatting it, reinstalling it and reconfiguring it.
Coathanger is distinct from a contemporaneous backdoor spotted by researchers at threat intelligence firm Mandiant.
Dutch intelligence said the agencies found the Coathanger backdoor previously deployed on the network of an unidentified Western diplomatic representative “as well as a handful of other victims.”
The Joint Signal Cyber Unit of the Netherlands has published indicators of compromise on its GitHub page.