China Caught Dropping RAT Designed for FortiGate Devices

The Netherlands' Military Intelligence and Security Service (MIVD) is warning that it has uncovered a new malware strain, persistent and difficult to detect, being deployed by the Chinese government against an existing FortiGate flaw, and that it's part of a wider political espionage campaign.

The new remote access Trojan (RAT), called "Coathanger," was used to spy on the Dutch Ministry and Defense (MOD) in 2023, according to a new advisory. During the response to the intrusion, Dutch intelligence service officials discovered the malware was being delivered through a known FortiGate flaw (CVE-2022-42475).

Fortinet's FortiGate devices provide network firewall protections.

The report stresses that Coathanger doesn't take advantage of a new zero-day exploit and is deployed as second-stage malware. However, the advisory added, "Coathanger could be used along with an any future FortiGate device vulnerability."

Dutch officials explained, "The Coathanger malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades."

Edge Devices in Cyberattack Crosshairs

The Coathanger malware is part of a wider campaign being waged by Chinese state-sponsored threat actors against Internet-facing edge devices including firewalls, VPN servers, and email servers, according to Dutch authorities.

"Chinese threat actors are known to perform wide and opportunistic scanning campaigns for both published (nday) as well as unpublished (0-day) software vulnerabilities on internet-facing (edge) devices," the advisory cautioned. "They do so with a high operational tempo, sometimes abusing vulnerabilities on the day they are published."

Fortinet devices are a popular cyberattack target, so businesses should stay on top of patches: Just this week, Fortinet reported two max-severity bugs in its FortiSIEM solution required immediate patching.

Recommendations from intelligence analysts in the Netherlands to keep Coathanger at bay also include performing a regular risk analysis on edge devices, limiting Internet access on edge devices, scheduled logging analysis, and replacing any hardware no longer supported.