Chinese Spies Hack Dutch Networks With Novel Coathanger Malware

/in


Chinese state-backed spies infiltrated Dutch defense networks last year and used novel malware dubbed “Coathanger” in a bid to steal sensitive information, according to the intelligence and security services of the Netherlands.

The country’s Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) revealed in a detailed report yesterday that the initial intrusion began with exploitation of CVE-2022-42475.

Fortinet published a critical advisory for the zero-day vulnerability in December 2022 and warned that it was being exploited by an “advanced actor” in attacks on “governmental or government-related targets.”  

Post-exploitation, the Chinese threat actors then used a new “stealthy and persistent” remote access Trojan (RAT), dubbed Coathanger.

“It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades,” the Dutch intelligence report explained.

“MIVD & AIVD assess that use of Coathanger may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce Coathanger as a communication channel for select victims.”

The report noted that the RAT could be used in combination with any vulnerability exploited on FortiGate devices. However, this time, Dutch network defenders appear to have foiled the cyber-espionage plot.

“Post compromise, the actor conducted reconnaissance of the R&D network and exfiltrated a list of user accounts from the Active Directory server. The impact of the intrusion was limited because the victim network was segmented from the wider MOD networks,” the report revealed.

The report is the first time the Netherlands has publicly called out Beijing for state-sponsored hacking. However, the country’s tech giant ASML plays a critical role in the global supply chain for advanced chips, which has raised the profile of the small northern European nation among certain governments.

Threat Actors Hit the Edge

MIVD and AIVD claimed that the attack is illustrative of a broader trend for threat actors to target edge devices such as VPNs, email…

Source…