The Netherlands’ military intelligence and security service (MIVD) has issued a warning about the discovery of a new malware strain, believed to be deployed by the Chinese government as part of a broader political espionage campaign. The malware, known as “Coathanger,” is a remote access Trojan (RAT) and has been found to exploit a known vulnerability in FortiGate edge devices. According to reports, Coathanger was used to spy on the Dutch Ministry of Defense (MOD) in 2023.
The Coathanger malware is described as stealthy and persistent, making it difficult to detect. Dutch officials stated that the malware can hide itself by hooking system calls and is capable of surviving reboots and firmware upgrades. It is also deployed as second-stage malware, which means it does not rely on new zero-day exploits to infect target systems. However, it is also capable of being used in conjunction with any future FortiGate device vulnerabilities.
The MIVD emphasized that the threat posed by Coathanger is part of a wider cyberespionage campaign conducted by Chinese state-sponsored threat actors. These actors are targeting various Internet-facing edge devices, including firewalls, VPN servers, and email servers. The advisory issued by Dutch authorities cautioned that Chinese threat actors are known to conduct wide and opportunistic scanning campaigns to identify both published and unpublished software vulnerabilities on these devices, often exploiting them soon after they are discovered.
Fortinet’s FortiGate devices, in particular, have been singled out as prime targets for cyber-attacks, with the company recently reporting two max-severity bugs in its FortiSIEM solution. This underscores the importance of timely patching and regular security maintenance for businesses using these devices.
To mitigate the risk posed by Coathanger and similar malware, intelligence analysts in the Netherlands have recommended several measures. These include performing regular risk analysis on edge devices, limiting Internet access on these devices, conducting scheduled logging analysis, and replacing any hardware that is no longer supported.
The discovery of Coathanger and the broader threat posed by Chinese cyber-espionage efforts serve as a reminder of the persistent and evolving nature of cybersecurity challenges faced by governments and businesses around the world. As threat actors continue to develop new tactics and tools, it is essential for organizations to remain vigilant and proactive in their cybersecurity efforts, including staying informed about potential vulnerabilities and taking appropriate measures to mitigate risks.