Search This Blog

Powered by Blogger.

Blog Archive

Labels

China Caught Deploying Remote Access Trojan Tailored for FortiGate Devices

Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities.

 

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new strain of malware believed to be orchestrated by the Chinese government. Named "Coathanger," this persistent and highly elusive malware has been identified as part of a broader political espionage agenda, targeting vulnerabilities in FortiGate devices.

In a recent advisory, MIVD disclosed that Coathanger was employed in espionage activities aimed at the Dutch Ministry of Defense (MOD) in 2023. Investigations into the breach revealed that the malware exploited a known flaw in FortiGate devices, specifically CVE-2022-42475.
Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. 
Unlike some malware that relies on new, undisclosed vulnerabilities (zero-day exploits), Coathanger operates as a second-stage malware and does not exploit any novel vulnerabilities. However, the advisory emphasizes that it could potentially be used in conjunction with future vulnerabilities in FortiGate devices.

Described as stealthy and resilient, Coathanger evades detection by concealing itself through sophisticated methods, such as hooking system calls to evade detection. It possesses the capability to survive system reboots and firmware upgrades, making it particularly challenging to eradicate.

According to Dutch authorities, Coathanger is just one component of a larger-scale cyber espionage campaign orchestrated by Chinese state-sponsored threat actors. These actors target various internet-facing edge devices, including firewalls, VPN servers, and email servers.

The advisory issued by Dutch intelligence underscores the aggressive scanning tactics employed by Chinese threat actors, who actively seek out both disclosed and undisclosed vulnerabilities in edge devices. It warns of their rapid exploitation of vulnerabilities, sometimes within the same day they are made public.

Given the popularity of Fortinet devices as cyberattack targets, businesses are urged to prioritize patch management. Recent reports from Fortinet highlighted the discovery of two critical vulnerabilities in its FortiSIEM solution, emphasizing the importance of prompt patching.

To mitigate the risk posed by Coathanger and similar threats, intelligence analysts recommend conducting regular risk assessments on edge devices, restricting internet access on these devices, implementing scheduled logging analysis, and replacing any hardware that is no longer supported.
Share it:

China

Cyber Security

Cyber Threats

Cybersecurity

Dutch intelligence

espionage

FortiGate devices

Malware Detection

RAT

Threat actors

Vulnerability management