Chinese hackers exploited the FortiGate flaw to breach the Dutch military network

07 February 2024PressroomCyber ​​espionage/network security

Dutch military network

State-backed Chinese hackers have broken into a computer network used by the Dutch military by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “As this system was autonomous, it did not cause any damage to the defense network.” The network had fewer than 50 users.

The intrusion, which occurred in 2023, exploited a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS Score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests prepared.

Cyber ​​security

Successful exploitation of the flaw paved the way for the implementation of a backdoor called COATHANGER by an actor-controlled server designed to grant persistent remote access to compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Center for Cyber ​​Security (NCSC) said. “It hides by latching onto system calls that might reveal its presence. It survives reboots and firmware updates.”

COATHANGER is different from BOLDMOVE, another backdoor linked to a suspected China-based threat actor known for exploiting CVE-2022-42475 as a zero-day in attacks against a European government agency and a managed service provider (MSP) located in Africa as early as October 2022.

This development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the news, said the malware takes its name from a code snippet that contained a line from Lamb to the slaughtera short story by British author Roald Dahl.

Cyber ​​security

It also comes days after US authorities took steps to dismantle a botnet comprising outdated Cisco and NetGear routers used by Chinese threat actors such as Volt Typhoon to hide the origins of malicious traffic.

Last year, Google-owned Mandiant disclosed that a cyber espionage group with Chinese nexus traced as UNC3886 exploited zero-days in Fortinet equipment to deploy THINCRUST and CASTLETAP implants to execute arbitrary commands received from a remote server and exfiltration of sensitive data.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read the most exclusive content we publish.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *