Chinese Coathanger malware hung out to dry by Dutch defense department

Chinese Coathanger malware hung out to dry by Dutch defense department

February 6, 2024 at 12:17PM

Dutch authorities have attributed an attempted cyberattack on the Ministry of Defense to Chinese state-sponsored hackers, uncovering a previously unseen malware named Coathanger. The remote access trojan was specifically designed to target Fortinet’s FortiGate firewalls and was difficult to detect using traditional methods. The attackers’ wide and opportunistic scans exploited a vulnerability, gaining access to the network but were limited by the MOD’s network segmentation. The Joint Signal Cyber Unit of the Netherlands has published detection methods on its GitHub page. If compromised, affected users are advised to isolate devices, review logs, and seek third-party digital forensics specialists. The only way to remove Coathanger is to reformat the infected device. This incident is part of a wider trend of Chinese political espionage against the Netherlands and its allies. Authorities have urged victims to inform their country’s cybersecurity authority.

Key takeaways from the meeting notes are as follows:
– Dutch authorities have identified a cyberattack on the Ministry of Defense, attributing it to Chinese state-sponsored attackers.
– The intrusion involved a previously unseen malware named Coathanger, which specifically targeted Fortinet’s FortiGate next-generation firewalls and gained initial access through exploiting CVE-2022-42475.
– The malware was described as highly stealthy and difficult to detect using default FortiGate CLI commands.
– The attack is seen as part of a wider trend of Chinese political espionage against the Netherlands and its allies.
– The Joint Signal Cyber Unit of the Netherlands (JCSU-NL) published a list of indicators of compromise (IOCs) and various detection methods on its GitHub page for affected users to identify potential compromises and take necessary actions.
– It is advised for affected users to isolate their device immediately, collect and review logs, and consider involving third-party digital forensics specialists. Additionally, victims should inform their country’s cybersecurity authority.
– Lastly, the only way to remove Coathanger from an infected device is to completely reformat the device before reinstalling and reconfiguring it.

Full Article