Feb 07, 2024NewsroomCyber Espionage / Network Security

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NetGear routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Jan 06, 2024NewsroomCyber Espionage / Supply Chain Attack

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle.

“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” Dutch security firm Hunt & Hackett said in a Friday analysis.

“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.”

Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa.

Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging DNS hijacking to redirect prospective targets attempting to query a specific domain to an actor-controlled server capable of harvesting their credentials.

“The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor’s methodology in targeting various DNS registrars and registries,” Talos said at the time.

In late 2021, Microsoft noted that the adversary carries out intelligence collection to meet strategic Turkish interests from countries like Armenia, Cyprus, Greece, Iraq, and Syria, striking telecom and IT companies with an aim to “establish a foothold upstream of their desired target” via exploitation of known vulnerabilities.

Then last month, the adversary was revealed to be using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team.

“The web shell is a simple reverse TCP shell for Linux/Unix that has basic [command-and-control] capabilities, and is also likely used for establishing persistence,” the company said. “There are at least two main variants; one which uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext.”

The latest findings from Hunt & Hackett show that Sea Turtle continues to be a stealthy espionage-focused group, performing defense evasion techniques to fly under the radar and harvest email archives.

In one of the attacks observed in 2023, a compromised-but-legitimate cPanel account was used as an initial access vector to deploy SnappyTCP on the system. It’s currently not known how the attackers obtained the credentials.

“Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive created with the tool tar, in the public web directory of the website that was accessible from the internet,” the firm noted.

“It is highly likely that the threat actor exfiltrated the email archive by downloading the file directly from the web directory.”

To mitigate the risks posed by such attacks, it’s advised that organizations enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attempts, monitor SSH traffic, and keep all systems and software up-to-date.