7 February 2024

Chinese hackers caught spying on Dutch defense network


Chinese hackers caught spying on Dutch defense network

In a rare occurrence, the Dutch Military Intelligence and Security Service (MIVD) disclosed that a China-linked threat actor compromised an internal computer network at the Dutch Ministry of Defense last year and deployed sophisticated malware for cyberespionage purposes.

The agency said that the malware was found on a standalone computer network used for unclassified Research and Development (R&D). Because this system was isolated, it did not cause damage to the Defense network. The attackers exploited a vulnerability in Fortinet FortiOS devices to plant a backdoor named 'Coathanger'.

The Dutch National Cyber Security Center (NCSC) decribed the malware as “a new Remote Access Trojan (RAT) that operates outside of traditional detection measures and is specifically designed for FortiGate devices.” The backdoor is able to survive reboot and firmware upgrade.

The exploited vulnerability, tracked as CVE-2022-42475, is a heap-based overflow issue within FortiOS that could be used for remote code execution. Previously, this FortiOS SSL-VPN vulnerability was exploited by unknown threat actors as a zero-day in attacks on government organizations and government-related targets.

“The MIVD and AIVD state that this attack fits within a broader trend. Both the NCSC and partner organizations see a trend in the exploitation of vulnerabilities in publicly accessible edge devices such as firewalls , VPN servers , and email servers,” the NCSC noted. “Edge devices are an interesting target because these components are located at the edge of the network and regularly have a direct connection to the internet. Edge devices are often not supported by Endpoint Detection and Response (EDR) solutions. This makes malicious or deviant behavior difficult to detect.”

Back to the list

Latest Posts

Cyber Security Week in Review: May 24, 2024

Cyber Security Week in Review: May 24, 2024

In brief: Google fixes Chrome zero-day, a backdoor found in JAVS software, and more.
24 May 2024
Chinese APTs increasingly using ORB networks to mask attack infrastructure

Chinese APTs increasingly using ORB networks to mask attack infrastructure

Mandiant reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX.
23 May 2024
Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

Ghostengine deploys several modules to tamper with security tools, establish a backdoor, and ensure software updates are in place.
22 May 2024