An investigation performed by Dutch government agencies into a nation-state malware campaign has concluded that it was far more extensive than previously thought.

In February 2024, Dutch authorities provided information about an attempted cyberattack at its Ministry of Defense (MoD). Their attribution pointed to Chinese state-sponsored attackers for the espionage-focused intrusion.

The malware used in the attack was dubbed Coathanger, a Remote Access Trojan (RAT) purpose-built for Fortinet’s FortiGate next-generation firewalls, and using the vulnerability listed as CVE-2022-42475.

Ever since it published its findings in February, the Dutch Military Intelligence and Security Service (MIVD) has continued its investigation into the cyberespionage campaign. It found that within several months in 2022 and 2023 the spies gained access to over 20,000 FortiGate systems all over the world.

During the two months that the vulnerability was a zero-day, meaning only the malware operators knew about it, they were able to compromise 14,000 systems. Among the targets the MIVD found several western governments, international organizations, and companies active in the defense sector.

If your devices were vulnerable to these attacks, there is a good chance that they remain compromised. The MIVD states that even with the technical report about the malware at the ready, it is hard to identify and remove the malware. So, if you have any of the vulnerable devices in your network it is prudent to assume they have been breached, even if you have applied patches for the vulnerability.

Which means that credentials stored on these devices, even when hashed, should be considered compromised and a thorough investigation for suspicious behavior is in order. An English version of the Coathanger advisory with Indicators of Compromise (IOCs) and Yara rules can be downloaded from the National Cyber Security Center website.

Furthermore, the MIVD warns about the recent trend for attacking edge devices such as firewalls, VPN servers, routers, and email servers. They are attractive targets for cybercriminals—not just Chinese spies—because:

• They are often internet-facing, because of their function.
• They are an entrance into an organization’s network.
• EDR solutions can’t protect many of them.

We are clearly seeing this trend as well. The well-funded cybercriminals, be it state-sponsored spies or established ransomware groups, can afford to look for zero-day vulnerabilities and when it comes to edge devices these vulnerabilities are very likely to provide a decent return on investment.

To keep your edge devices safe, it is important to:

• Make an inventory of the edge devices in your environment
• Regularly perform a risk analysis, and ask: Are they still supported, and has their functionality changed?
• Make a plan for how you’ll check for available updates and patches and apply them.
• Create and monitor logs. Save logs in a separate environment where they are safe from tampering.
• Disable, limit or scrutinize internet access to the management console.

---

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in check by using ThreatDown’s Vulnerability Assessment and Patch Management solutions.