The Netherlands’ Military Intelligence and Security Service (MIVD) has issued a warning, revealing a sophisticated new malware strain, dubbed “Coathanger,” orchestrated by the Chinese government. This malware, designed for persistent and stealthy infiltration, exploits an existing vulnerability within FortiGate devices, marking it as a pivotal component of a broader political espionage campaign.
Key Findings
- The newly identified remote access Trojan (RAT), Coathanger, was utilized to clandestinely monitor the Dutch Ministry of Defense (MOD) in 2023.
- Investigations uncovered that the malware leverages a known flaw within FortiGate devices (CVE-2022-42475) to infiltrate targeted systems.
- Coathanger operates as second-stage malware, evading detection by exploiting system call hooks and demonstrating persistence across reboots and firmware updates.
Scope of the Threat
Dutch intelligence highlights that Coathanger is part of a broader cyber campaign orchestrated by Chinese state-sponsored threat actors. Targeting Internet-facing edge devices such as firewalls, VPN servers, and email servers, this campaign underscores the escalating sophistication of nation-state cyber operations.
Operational Tactics
Chinese threat actors exhibit a proactive approach, conducting extensive scanning campaigns to identify both published and unpublished (0-day) vulnerabilities. Their rapid exploitation of vulnerabilities underscores the urgency for robust cybersecurity measures.
Implications for Cybersecurity
- Fortinet devices, including FortiGate, remain prime targets for cyberattacks, necessitating vigilant patch management.
- Recent revelations from Fortinet of two critical vulnerabilities in its FortiSIEM solution further emphasize the imperative for immediate patching.
- Intelligence analysts advocate for comprehensive risk analysis on edge devices, stringent access controls, regular logging analysis, and the retirement of unsupported hardware to mitigate Coathanger’s threat.
Quick FAQ
What is Coathanger?
Coathanger is a newly discovered remote access Trojan (RAT) employed in espionage activities, particularly targeting governmental entities.
How does Coathanger evade detection?
Coathanger employs sophisticated techniques such as system call hooking to conceal its presence and remains persistent across system reboots and firmware upgrades.
What precautions should organizations take?
Organizations are advised to promptly apply patches, conduct regular risk assessments on edge devices, enforce stringent access controls, and retire unsupported hardware to mitigate the risk posed by Coathanger.