A sophisticated advanced persistent threat (APT) from China has leveraged a critical vulnerability in Sophos’ firewall software to execute a targeted attack against an undisclosed organization in South Asia. This incident highlights the ongoing risk posed by APT actors who are adept at exploiting weaknesses within cybersecurity defenses.
According to a report from Volexity, the attackers deployed a web shell backdoor and established secondary persistence mechanisms to launch attacks on the target’s employees. “These attacks were focused on penetrating cloud-hosted web servers that hosted the organization’s public-facing websites,” Volexity noted.
The vulnerability involved is categorized as CVE-2022-1040, which received a CVSS score of 9.8 due to its severe authentication bypass flaw that allows for the remote execution of arbitrary code. Affected versions include Sophos Firewall 18.5 MR3 (18.5.3) and earlier editions.
Sophos released a patch for the vulnerability on March 25, 2022, but Volexity confirmed that exploitation had already begun on March 5, 2022. The firm detected unusual network behavior originating from a customer’s Sophos Firewall that was fully updated, highlighting preemptive actions taken by the attackers nearly three weeks before the vulnerability was publicly disclosed.
Research indicates that the attacker utilized the compromised firewall for man-in-the-middle (MitM) attacks, gathering data to breach additional systems external to the compromised network. This sequence of exploitation underscores the importance of monitoring for abnormal network activities that could indicate an ongoing attack.
To deepen their foothold, the attackers backdoored a legitimate component of the Sophos software using the Behinder web shell, allowing remote access from any URL chosen by the threat actor. The use of Behinder and similar attack vectors has been noted in past exploits, further illustrating the evolving nature of APT tactics.
Following this, the intruders created VPN accounts for remote connectivity and modified DNS responses for targeted websites, primarily aimed at the victim’s content management system. This strategy was designed to capture user credentials and session cookies, enabling the attackers to seize control of the domain.
Upon gaining control over the WordPress site, attackers installed a second web shell called IceScorpion and unleashed several open-source implant tools, including PupyRAT, Pantegana, and Sliver. These actions indicate a highly coordinated approach by DriftingCloud, the actor behind the attack, who is known for targeting entities linked to specific geopolitical interests.
Sophos has conducted an independent investigation into these incidents and attributed attacks to two unnamed APT groups, both utilizing the same vulnerability to plant remote access tools such as GoMet and Gh0st RAT. “The exploitation of this vulnerability allows malicious files to be executed on the device, indicating extensive knowledge and planning by the attackers,” noted Andrew Brandt, Sophos’ principal researcher.
This unfolding situation underscores the need for organizations, especially in high-risk areas, to remain vigilant regarding software updates and implement comprehensive monitoring mechanisms to detect potential threats. Understanding how attackers manipulate vulnerabilities is crucial for advancing defenses against increasingly sophisticated cyber threats.
