Title: New Malware ‘SockDetour’ Exposed as a Menace to U.S. Defense Contractors
Recent research unveiled a sophisticated and previously unreported malware known as SockDetour, which has been targeting defense contractors in the United States. This stealthy backdoor is engineered to act as a secondary implant on compromised Windows systems, raising alarm bells within cybersecurity circles.
According to a report from Palo Alto Networks’ Unit 42, SockDetour operates stealthily on affected Windows servers, designed to circumvent detection by functioning without files or sockets. This methodology enables the malware to remain hidden, thereby serving as a backup access point if the primary backdoor is compromised. The alarming aspect of SockDetour is its longevity; it is believed to have been deployed in attacks dating back to July 2019, signifying its ability to evade security measures for over two years.
The attacks have been linked to a Chinese hacking group identified as TiltedTemple (also referred to as DEV-0322 by Microsoft). This group gained notoriety for exploiting zero-day vulnerabilities in Zoho’s ManageEngine products last year. Researchers have noted that infrastructure overlaps—particularly the command-and-control servers used for distributing malware—indicate a connection to TiltedTemple’s operations.
Unit 42 reported evidence of at least four defense contractors being affected by this new threat, resulting in a complete breach of one organization. Notably, these intrusions occurred just a month before the widely publicized assaults involving Zoho ManageEngine servers in August 2021. Analysis revealed that SockDetour was delivered from an external FTP server to a U.S.-based contractor’s internet-facing server on July 27, 2021.
Further investigation disclosed that the FTP server hosting SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office network-attached storage (NAS) device. This server is known to be vulnerable to various threats, including remote code execution vulnerabilities and had already been infected with ransomware, suggesting that the initial access may have been achieved through these exploits.
Once installed, SockDetour takes on the role of a covert backdoor, manipulating legitimate network sockets to establish an encrypted communication channel for command-and-control operations. Notably, this technique eliminates the requirement to open listening ports or make external network calls, making it particularly elusive from both host-based and network detection perspectives.
The tactics employed in this attack align closely with several categories outlined in the MITRE ATT&CK framework. Relevant tactics include initial access, through the exploitation of vulnerabilities in the compromised FTP server, and persistence, as SockDetour is designed to establish a reliable, undetectable foothold within the network.
As cyber threats continue to evolve, the emergence of SockDetour underscores the critical need for businesses, particularly in sensitive sectors like defense, to enhance their cybersecurity measures. Vigilance against such stealthy attacks and a robust response strategy will be paramount in mitigating the risks posed by advanced persistent threats like those from TiltedTemple.
For further updates on cybersecurity developments, business owners are encouraged to follow reputable news sources and engage with platforms that specialize in cyber risk management and mitigation strategies.
