The Netherlands’ Military Intelligence and Security Service (MIVD) warns that it has discovered a new strain of malware, persistent and difficult to detect, used by the Chinese government against an existing FortiGate flaw and which is part of a broader political espionage campaign .
The new remote access trojan (RAT), called “Coahanger”, was used to spy on the Dutch Ministry and Defense (MOD) in 2023, according to a new consultancy. While responding to the intrusion, Dutch intelligence officials discovered that the malware was being spread through a known FortiGate flaw (CVE-2022-42475).
Fortinet’s FortiGate devices provide network firewall protections.
The report highlights that Coathanger does not exploit a new zero-day exploit and is distributed as second-stage malware. However, the notice added: “The coat hanger may be used in conjunction with any future FortiGate device vulnerabilities.”
Dutch officials explained: “The Coathanger malware is stealthy and persistent. It hides by hooking on system calls that could reveal its presence. It survives reboots and firmware updates.”
Edge devices targeted by cyberattacks
According to Dutch authorities, the Coathanger malware is part of a larger campaign by Chinese state-sponsored threat actors against Internet-facing edge devices, including firewalls, VPN servers, and email servers.
“Chinese threat actors are known to run large and opportunistic scanning campaigns for published (day) and unpublished (0-day) software vulnerabilities on internet-connected (edge) devices,” the advisory warns. “They do this at a high operational tempo, sometimes abusing vulnerabilities the same day they go live.”
Fortinet devices are a popular target for cyberattacks, so companies should stay on top of patches: Just this week, Fortinet reported two major bugs in its solution FortiSIEM required immediate patches.
Recommendations from intelligence analysts in the Netherlands to keep Coathanger at bay also include performing regular risk analysis on peripheral devices, limiting Internet access on peripheral devices, analyzing scheduled recording and replacing of any hardware no longer supported.