The Military Intelligence and Security Service (MIVD) of the Netherlands has issued a warning regarding the discovery of a new malware strain, dubbed 'Coathanger', being used by the Chinese government. The malware was found in several FortiGate devices during an incident response. The Chinese-state actors are reportedly using this persistent Remote Access Trojan (RAT) for espionage activities.
The Coathanger RAT was employed to spy on the Dutch Ministry and Defense (MOD) in 2023, as per the advisory. During the incident response, the Dutch intelligence service identified that the malware was being delivered through a previously known FortiGate flaw, CVE-2022-42475. FortiGate devices, developed by Fortinet, are used for network firewall protections.
The report emphasized that Coathanger does not exploit a new zero-day vulnerability but is deployed as a second-stage malware. However, the advisory also warned that 'Coathanger could be used along with any future FortiGate device vulnerability.'
Coathanger is described as stealthy and persistent malware. It conceals its presence by hooking system calls that could reveal it. The malware can survive system reboots and firmware upgrades.
The Coathanger malware is part of a broader campaign carried out by Chinese state-sponsored threat actors against Internet-facing edge devices. This includes firewalls, VPN servers, and email servers. Dutch authorities noted, 'Chinese threat actors are known to perform wide and opportunistic scanning campaigns for both published (nday) as well as unpublished (0-day) software vulnerabilities on internet-facing (edge) devices.' They added that these actors operate with a high operational tempo, often exploiting vulnerabilities on the day they are published.
Fortinet devices are frequently targeted by cyberattacks, which underscores the importance for businesses to regularly update and patch their systems. Recently, Fortinet reported two high-severity bugs in its FortiSIEM solution that required immediate patching.
The Dutch intelligence analysts have recommended several measures to mitigate the risk from Coathanger. These include conducting regular risk analysis on edge devices, limiting Internet access on these devices, scheduled logging analysis, and replacing any unsupported hardware.