Tag Archive for: Dutch

Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network


Feb 07, 2024NewsroomCyber Espionage / Network Security

Dutch Military Network

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Cybersecurity

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

Cybersecurity

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NETGEAR routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a…

Source…

Chinese Spies Hack Dutch Networks With Novel Coathanger Malware


Chinese state-backed spies infiltrated Dutch defense networks last year and used novel malware dubbed “Coathanger” in a bid to steal sensitive information, according to the intelligence and security services of the Netherlands.

The country’s Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) revealed in a detailed report yesterday that the initial intrusion began with exploitation of CVE-2022-42475.

Fortinet published a critical advisory for the zero-day vulnerability in December 2022 and warned that it was being exploited by an “advanced actor” in attacks on “governmental or government-related targets.”  

Post-exploitation, the Chinese threat actors then used a new “stealthy and persistent” remote access Trojan (RAT), dubbed Coathanger.

“It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades,” the Dutch intelligence report explained.

“MIVD & AIVD assess that use of Coathanger may be relatively targeted. The Chinese threat actor(s) scan for vulnerable edge devices at scale and gain access opportunistically, and likely introduce Coathanger as a communication channel for select victims.”

The report noted that the RAT could be used in combination with any vulnerability exploited on FortiGate devices. However, this time, Dutch network defenders appear to have foiled the cyber-espionage plot.

“Post compromise, the actor conducted reconnaissance of the R&D network and exfiltrated a list of user accounts from the Active Directory server. The impact of the intrusion was limited because the victim network was segmented from the wider MOD networks,” the report revealed.

The report is the first time the Netherlands has publicly called out Beijing for state-sponsored hacking. However, the country’s tech giant ASML plays a critical role in the global supply chain for advanced chips, which has raised the profile of the small northern European nation among certain governments.

Threat Actors Hit the Edge

MIVD and AIVD claimed that the attack is illustrative of a broader trend for threat actors to target edge devices such as VPNs, email…

Source…

China Slams ‘Groundless’ Dutch Hacking Claims


Text size

Source…

Dutch Police Arrest 3 Hackers Involved in Massive Data Theft and Extortion Scheme


Feb 27, 2023Ravie Lakshmanan

Data Theft and Extortion Scheme

The Dutch police announced the arrest of three individuals in connection with a “large-scale” criminal operation involving data theft, extortion, and money laundering.

The suspects include two 21-year-old men from Zandvoort and Rotterdam and an 18-year-old man without a permanent residence. The arrests were made on January 23, 2023.

It’s estimated that the hackers stole personal data belonging to tens of millions of individuals. This comprised names, addresses, telephone numbers, dates of birth, bank account numbers, credit cards, passwords, license plates, social security numbers, and passport details.

The Politie said its cybercrime team started the investigation nearly two years ago, in March 2021, after a large Dutch company suffered a security breach.

The name of the company was not disclosed but some of the firms that were hit by a cyber attack around that time included RDC, Shell, and Ticketcounter, the last of which was also a victim of an extortion attempt.

“During the course of the investigation, it has become clear that thousands of small and large companies and institutions, both national and international, have fallen victim to computer intrusion (hacking) in recent years, followed by theft and handling of data,” the agency said.

The attack spree targeted a wide range of industry verticals spanning catering, training institutes, e-commerce, software, social media, and critical infrastructure.

Describing it as a “sophisticated” operation, the Politie said the threat actors demanded a Bitcoin payment from the affected companies and threatened to publish the stolen information online or destroy the digital infrastructure, racking up millions in damages.

The ransom demanded per company is said to have ranged anywhere between €100,000 and €700,000. To make matters worse, the suspects ended up selling the data despite the companies paying up.

The sensitive nature of the plundered information means that it could be used to carry out social engineering attacks and various kinds of fraudulent activities.

“Data theft and data trading is a huge revenue model for criminals,” the Politie warned. “Not just by extorting companies. The…

Source…