The broader COATHANGER-campaign
quotes from Ministry of Defence of the Netherlands uncovers COATHANGER a stealthy Chinese FortiGate R AT
It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.
malware name
The name is derived from the peculiar phrase that the malware uses to encrypt the configuration on disk: ‘She took his coat and hung it up’
Reference to Lamb to the Slaughter by Roald Dahl:
“Hello,” he answered. She took his coat and hung it up. Then she made the drinks, a strong one for him and a weak one for herself
steps of the attack
- exploitation through cve dec 2022
The threat actor fired an exploit for this CVE using an obfuscated connection.
- download second stage malware
The second-stage COATHANGER malware described below was then downloaded from another host
- recon from compromised fortigate device
- exfiltrate list of AD users
malware
- periodically connects back to command & control server and provides busybox reverse shell
- backup injected that reinstalls at reboot
- malware survives firmware upgrades
- stealth: hooking
statandopendircommands and replacing them with versions that loadpreload.so - config is encrypted and stored in last bytes of .so file
communication to c2
- send “get google.com” to c2 server
openptyto access busybox binary
detection methods
- deviating modification times in
smartctl - showing tcp sockets while connections are active
- unusual location in process maps of
httpsd
detection avoidance methods
- ja3hash fingerprint of the tls connection is the same as legit logging connections to fortigate
- ja3hash detection will result in false positives, need to check if the ip is a fortimanger or forinet inc ip
- location of files is different, follows
.bd.keyscheme - name of processes is different amongst samples, might be
httpsd
mitigation
incident response
- isolate the device
- collect logs, data and artifacts
- extract forensic image frm device
- contact third-party specialized in incident response
- report incident to NCSC
removing infection
- wiping device
precauction
- patch as soon as possible
- security best practices
- enable less features on devices
- restrict access to internet when unneccessary
- monitor event logs for abnormal activity
references
- exploit heap overflow in fortios SSL-VPN from dec 2022 https://www.fortiguard.com/psirt/FG-IR-22-398
followup
Since publication of the report in February, the MIVD has conducted additional research into the associated Chinese cyber espionage campaign. This research revealed that by exploiting a vulnerability affecting FortiGate devices, the state actor gained access to at least 20.000 FortiGate devices globally within a few months in both 2022 and 2023.
Several critical vulnerabilities in the Ivanti Connect Secure VPN solution were exposed in the first quarter of 2024. The security company Volexity found that malicious actors had exploited two unknown ‘zero-day’ vulnerabilities in certain systems.6
challenges
- Challenge 1: The organisation’s attack surface is unknown
- Challenge 2: Edge devices are ‘black boxes’\
- Challenge 3: Misconfiguration of edge devices can increase the risk of exploitation
The range of features for edge devices is constantly expanding. One example is SSL offloading, which allows users to decrypt traffic that was encrypted using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.9 This feature makes edge devices more effective when it comes to inspecting traffic and detecting anomalies. However, if malicious actors gain access to an edge device and SSL/TLS offloading is enabled, the attacker may be able to intercept all unencrypted traffic that passes through the device. This is a good example of LOTL exploitation. We recommend drafting a preliminary risk assessment that incorporates the activation and addition of new features such as SSL offloading.
- Challenge 4: Patch management for edge devices is often inadequate
- Challenge 5: Recovery after an edge device is compromised takes up a lot of capacity