Chinese Spies Hack Dutch Networks With Novel Coathanger Malware

A new report from the Dutch Military Intelligence and Security Service (MIVD) highlights a campaign that took place last year, where Chinese state-backed actors were able to infiltrate Dutch defense networks and steal sensitive information. In this case, the actors exploited a zero-day flaw in FortiOS SSL-VPN that was disclosed in December 2022, to gain initial access to the targeted systems. This initial access was followed by the deployment of a stealthy remote access Trojan dubbed Coathanger, capable of hiding itself by hooking system calls and surviving reboots and firmware upgrades. MIVD says the cyber-espionage attempt was stopped in its tracks and limited as the victim environment was properly segmented.

Security Officer Comments:
The latest report indicates a trend of actors targeting edge devices such as VPNs, email servers, and firewalls, which are commonly connected to the internet and not properly segmented. As of recently, actors are taking advantage of a set of zero-days in Ivanti Connect secure and Policy secure gateways to compromise VPN appliances and deploy malicious backdoors for persistent access. Despite patches being released, many publicly facing instances have yet to receive these updates, enabling actors to launch opportunistic attacks.

Suggested Corrections:
The Dutch intelligence services advised organizations to mitigate edge device threats by:

  • Regularly perform a risk analysis on edge devices. For example, when functionalities are added.
  • Limit internet access from edge devices by disabling unused ports and functionalities. In addition, do not make the management interface accessible from the Internet.
  • Regularly perform analyzes on the logging to detect anomalous activity. This includes login attempts at strange times, unknown (foreign) IP addresses or unauthorized configuration changes. Forward the logging to a secure, separate environment so that its integrity is guaranteed.
  • Install the latest security updates as soon as possible when they are made available by the vendor. In addition, take advantage of possible additional protection measures made available by suppliers.
  • Replace hardware and software that is no longer supported by the supplier.