Security News > 2024 > February > Chinese Coathanger malware hung out to dry by Dutch defense department
Dutch authorities are lifting the curtain on an attempted cyberattack last year at its Ministry of Defense, blaming Chinese state-sponsored attackers for the espionage-focused intrusion.
Specialists from the Netherlands' Military Intelligence and Security Service and the General Intelligence and Security Service were called in to investigate an intrusion at an MOD network last year, uncovering a previously unseen malware they're calling Coathanger.
In the cybersecurity advisory published today, authorities said the malware was highly stealthy and difficult to detect using default FortiGate CLI commands, since Coathanger hooks most system calls that could identify it as malicious.
"For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China," said defense minister Kajsa Ollongren in an automatically translated statement.
The advisory also noted that Dutch authorities had previously spotted Coathanger present on other victims' networks too, prior to the incident at the MOD. As for attribution, MIVD and AIVD said they can pin Coathanger to Chinese state-sponsored attackers with "High confidence."
The attackers responsible for the attack were known for conducting "Wide and opportunistic" scans for exposed FortiGate appliances vulnerable to CVE-2022-42475 and then exploiting it using an obfuscated connection.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/02/06/dutch_defense_china_cyberattack/
Related news
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-01-02 | CVE-2022-42475 | Out-of-bounds Write vulnerability in Fortinet Fortios A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. | 9.8 |