The Chinese hackers exploited Sophos firewall’s zero-day flaw to target South Asian companies and breached cloud-hosted web servers.
Previously, Volexity noticed a sophisticated attack against a customer that is seriously targeted by multiple Chinese advanced persistent threat (APT) groups. This attack leveraged a zero-day exploit to compromise the customer’s firewall.
The cybersecurity company, Volexity said in a report, “The attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.”
Meanwhile, Sophos resolved this vulnerability, but attackers managed to exploit the security vulnerability to bypass authentication and run arbitrary code remotely to attack various organizations.
Volexity detected anomalous activity emanating from a customer’s Sophos Firewall through its Network Security Monitoring service. The research of the data leads to the detection of a backdoor on the firewall. The researchers say the attacker was using access to the firewall to conduct man-in-the-middle (MITM) attacks.
Later, Sophos released an advisory explaining a remote code execution (RCE) vulnerability (submitted by a third-party) in its firewalls covered by (CVE-2022-1040) with a (CVSS score: of 9.8). Volexity attributes these attacks to a Chinese APT group tracked as “DriftingCloud”.
A patch for the flaw was published, noted that it was abused to “target a small set of specific organizations primarily in the South Asia region” and that it had notified the affected entities directly.
In the analysis, experts observed that the attacker tried to blend its traffic by accessing the installed webshell through requests to the legitimate file “login.jsp.”
“This might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes”, says Volexity.
The researchers decoded some requests made by the attacker using this webshell and identify the attacker was using the publicly available BEHINDER framework. This was the framework the company believed was leveraged by one or more Chinese APT groups involved in the recent zero-day exploitation of Confluence Servers systems tracked as (CVE-2022-26134).
Further Actions Performed by the Attacker
The Cybersecurity firm identified several other actions performed by the threat actors, which include:
- The attacker created VPN user accounts and associated certificate pairs on the firewall to facilitate legitimate remote network access.
- The attacker wrote and executed a file on disk at the following path:
- The “pre_install.sh” file runs a malicious command to download a binary, execute it, and then delete it from the disk.
Also, Volexity determined that the attacker was able to access the CMS (content management system) admin pages of the victim organization’s websites with valid session cookies they had hijacked. Researchers say, using these session cookies, the attacker was able to directly access the WordPress admin panel without sending a username and password.
Therefore, Sophos provided patches that automatically address (CVE-2022-1040) as well as mitigations that help organizations using its firewall protect against exploiting the vulnerability. Volexity recommends deploying network security monitoring mechanisms that detect and log traffic from gateway devices. Implement the auditd tool on Unix-based servers for easier investigating compromises.
Vendors or perimeter devices should also provide methods for examining potential compromises. Volexity recommends using a set of YARA rules that could flag suspicious activity from this type of attack.