China-linked APT deployed malware in a network of the Dutch Ministry of Defence

Pierluigi Paganini February 07, 2024

China-linked APT group breached the Dutch Ministry of Defence last year and installed malware on compromised systems.

Dutch Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service (AIVD) published a joint report warning that a China-linked APT group breached the Dutch Ministry of Defence last year. The effects of the attack were limited because of the network segmentation implemented in the government infrastructure.

“The Ministry of Defence (MOD) of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects were limited because of prior network segmentation” reads the report. “MIVD & AIVD assess with high confidence that the malicious activity was conducted by a state-sponsored actor from the People’s Republic of China. This is part of a wider trend of Chinese political espionage against the Netherlands and its allies.”

The government experts discovered a previously unpublished remote access trojan (RAT), tracked as COATHANGER, specifically designed to target Fortigate appliances. The RAT is used as second-stage malware, the experts pointed out that it doesn’t exploit a new vulnerability. COATHANGER is a stealthy malware that hooks system calls that could reveal its presence. The malware survives reboots and firmware upgrades.

“Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself in the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades.” continues the report. “Even fully patched FortiGate devices may therefore be infected, if they were compromised before the latest patch was applied.”

The attack chain starts with the exploitation of the CVE-2022-42475 vulnerability for FortiGate devices.

In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

Fortinet addressed the issue with the release of FortiOS 7.2.3.

The Chinese spies breached a network that was used for research and development (R&D) of unclassified projects and collaboration with two third-party research institutes.

The Dutch Ministry of Defence already notified the two third-party research institutes.

““For the first time, the MIVD has chosen to make public a technical report on the working methods of Chinese hackers. It is important to attribute such espionage activities by China,” said Defense Minister Kajsa Ollongren. “In this way we increase international resilience against this type of cyber espionage.” s

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China-linked APT)

you might also like

leave a comment