Netherlands Exposes Chinese Cyber Espionage: Coathanger Malware Hooks FortiGate Firewalls

In a plot twist worthy of a spy thriller, Dutch officials pulled back the curtain on a malware mystery, pinning the blame on Chinese cyber sleuths. Meet ‘Coathanger,’ the malware so sneaky it could hang out undetected in the Ministry of Defense’s cyber closet. It’s espionage, but with a digital twist! Focus keyphrase: “Chinese cyber sleuths”.

Hot Take:

Another day, another cyber-espionage drama, but this time with a fashion twist. The Dutch MoD’s encounter with ‘Coathanger’ malware feels like a spy thriller where the villain leaves a calling card—except the card is a weirdly polite malware message about outerwear etiquette. And let’s be honest, “She took his coat and hung it up” is probably the most courteous malware has ever been while rifling through state secrets.

Key Points:

  • Dutch authorities reveal a cyberattack by Chinese state-sponsored hackers using ‘Coathanger’ malware targeting FortiGate firewalls.
  • Coathanger is a cheeky malware name inspired by its own encryption message, perhaps hinting at a more polite class of cybercriminals.
  • This RAT is like a bad houseguest: it sticks around after reboots and patches, making detection harder than finding a needle in a digital haystack.
  • The Dutch MoD was hit but brushed it off due to savvy network segmentation, limiting the espionage extravaganza.
  • If your FortiGate firewall is acting fishy, you might want to call in the cyber-sleuths because a full device reformat is the only way to evict Coathanger.
Cve id: CVE-2022-42475
Cve state: PUBLISHED
Cve assigner short name: fortinet
Cve date updated: 01/02/2023
Cve description: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Need to know more?

Malware with Manners

When the Dutch MoD got hit with a cyber-espionage attempt, it wasn't just any old hack—it was the debut of the 'Coathanger' malware, so named for its encryption message that could be straight out of an etiquette guide. In what reads like a backhanded compliment, this RAT was custom-tailored for Fortinet's FortiGate next-gen firewalls, slipping through the digital cracks and setting up shop to gather intel in a persistent, reboot-resistant fashion. The Dutchies didn't just stand there with their coats on; they got to work with their intelligence agencies to hang up this malware out to dry.

Attributing the Unattributable

The Dutch have pointed fingers with "high confidence" at Chinese state-sponsored hackers, stepping up to attribute this cyber fashion faux pas. It's like they're saying, "We see your sneaky malware, and we raise you an international call-out." They didn't just stop at naming and shaming; they shared their homework in the form of a technical report, essentially giving other nations a cheat sheet to spot the Coathanger if it's trying to sneak into their digital wardrobes as well.

Operation: Clean Out Your Closet

Just when you thought it was safe to go back into your network, it turns out that a fully patched FortiGate firewall might still be a walk-in closet for Coathanger if it was compromised pre-patch. The Dutch Joint Signal Cyber Unit (JCSU-NL), not to be outdone by their intelligence counterparts, dropped a full list of IOCs on GitHub, making it a group effort to boot out these unwanted cyber lodgers. If you do find the pesky RAT, be prepared for a full system reformat—think of it as an extreme digital spring cleaning.

A Stitch in Time

Let's face it, everyone had their suspicions about who was behind the Fortinet vulnerabilities, but now the Dutch have stitched together the evidence and are ready to confirm China's role in the digital catwalk of cybercrime. With the clear connection to the UTC+8 timezone, the list of suspects was short, and now it seems the Netherlands is ready to send out the international equivalent of a neighborhood watch alert to keep this tailored threat at bay.

Fashionably Late Attribution

The cyber runway has been abuzz since last December with whispers of high-end exploits targeting Fortinet gear. Now, with the Dutch shedding light on the situation, it's like the after-party where everyone finally confirms who wore the espionage ensemble best. And it seems China has been strutting this look for a while, with a series of bespoke malware pieces that have the cybersecurity paparazzi snapping pictures and raising alarms.

Tags: Chinese state-sponsored hackers, Coathanger RAT, CVE-2022-42475 exploit, cybersecurity advisory, Fortinet FortiGate NGFW, malware detection techniques, political espionage