In a rare occurrence, the Dutch Military Intelligence and Security Service (MIVD) disclosed that a China-linked threat actor compromised an internal computer network at the Dutch Ministry of Defense last year and deployed sophisticated malware for cyberespionage purposes.

The agency said that the malware was found on a standalone computer network used for unclassified Research and Development (R&D). Because this system was isolated, it did not cause damage to the Defense network. The attackers exploited a vulnerability in Fortinet FortiOS devices to plant a backdoor named 'Coathanger'.

The Dutch National Cyber Security Center (NCSC) decribed the malware as “a new Remote Access Trojan (RAT) that operates outside of traditional detection measures and is specifically designed for FortiGate devices.” The backdoor is able to survive reboot and firmware upgrade.

The exploited vulnerability, tracked as CVE-2022-42475, is a heap-based overflow issue within FortiOS that could be used for remote code execution. Previously, this FortiOS SSL-VPN vulnerability was exploited by unknown threat actors as a zero-day in attacks on government organizations and government-related targets.

“The MIVD and AIVD state that this attack fits within a broader trend. Both the NCSC and partner organizations see a trend in the exploitation of vulnerabilities in publicly accessible edge devices such as firewalls , VPN servers , and email servers,” the NCSC noted. “Edge devices are an interesting target because these components are located at the edge of the network and regularly have a direct connection to the internet. Edge devices are often not supported by Endpoint Detection and Response (EDR) solutions. This makes malicious or deviant behavior difficult to detect.”