Chinese State Actors Deploy ‘Coathanger’ Malware Targeting FortiGate Devices

February 8, 2024

The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new malware strain, dubbed 'Coathanger', being used by the Chinese government. The malware was found in several FortiGate devices during an incident response. The Chinese-state actors are reportedly using this persistent Remote Access Trojan (RAT) for espionage activities.

The Coathanger RAT was employed to spy on the Dutch Ministry and Defense (MOD) in 2023, as per the advisory. During the incident response, the Dutch intelligence service identified that the malware was being delivered through a previously known FortiGate flaw, CVE-2022-42475. FortiGate devices, developed by Fortinet, are used for network firewall protections.

The report emphasized that Coathanger does not exploit a new zero-day vulnerability but is deployed as a second-stage malware. However, the advisory also warned that 'Coathanger could be used along with any future FortiGate device vulnerability.'

Coathanger is described as stealthy and persistent malware. It conceals its presence by hooking system calls that could reveal it. The malware can survive system reboots and firmware upgrades.

The Coathanger malware is part of a broader campaign carried out by Chinese state-sponsored threat actors against Internet-facing edge devices. This includes firewalls, VPN servers, and email servers. Dutch authorities noted, 'Chinese threat actors are known to perform wide and opportunistic scanning campaigns for both published (nday) as well as unpublished (0-day) software vulnerabilities on internet-facing (edge) devices.' They added that these actors operate with a high operational tempo, often exploiting vulnerabilities on the day they are published.

Fortinet devices are frequently targeted by cyberattacks, which underscores the importance for businesses to regularly update and patch their systems. Recently, Fortinet reported two high-severity bugs in its FortiSIEM solution that required immediate patching.

The Dutch intelligence analysts have recommended several measures to mitigate the risk from Coathanger. These include conducting regular risk analysis on edge devices, limiting Internet access on these devices, scheduled logging analysis, and replacing any unsupported hardware.

Related News

• Iranian Hackers Exploit Zoho and Fortinet Vulnerabilities to Breach US Aviation Organization
• Fortinet Warns of Potential Exploitation of New FortiOS RCE Vulnerability
• China-Backed Cyber Campaign 'Volt Typhoon' Targets Critical Infrastructure
• 55 Zero-Day Vulnerabilities Exploited in 2022: Mandiant Report
• Fortinet Patches High-Severity FortiOS Bug Used in Zero-Day Attacks

Latest News

• Google Addresses Critical Remote Code Execution Vulnerability in Android
• Critical Authentication Bypass Vulnerability in TeamCity On-Premises Servers
• Widespread Exploitation of Ivanti SSRF Zero-Day Vulnerability Observed
• Mispadu Banking Trojan Exploits Patched Windows SmartScreen Flaw
• Critical Vulnerability in Mastodon Social Network Allows Account Takeovers