Cyber Security News

Sophos Zero-day Flaw Exploited by Chinese Hackers to Implement Backdoor

The Chinese hackers exploited Sophos firewall’s zero-day flaw to target South Asian companies and breached cloud-hosted web servers.

Previously, Volexity noticed a sophisticated attack against a customer that is seriously targeted by multiple Chinese advanced persistent threat (APT) groups. This attack leveraged a zero-day exploit to compromise the customer’s firewall.

The cybersecurity company, Volexity said in a report, “The attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.”

Meanwhile, Sophos resolved this vulnerability, but attackers managed to exploit the security vulnerability to bypass authentication and run arbitrary code remotely to attack various organizations.

DriftingCloud

Volexity detected anomalous activity emanating from a customer’s Sophos Firewall through its Network Security Monitoring service. The research of the data leads to the detection of a backdoor on the firewall. The researchers say the attacker was using access to the firewall to conduct man-in-the-middle (MITM) attacks.

Later, Sophos released an advisory explaining a remote code execution (RCE) vulnerability (submitted by a third-party) in its firewalls covered by (CVE-2022-1040) with a (CVSS score: of 9.8). Volexity attributes these attacks to a Chinese APT group tracked as “DriftingCloud”.

A patch for the flaw was published, noted that it was abused to “target a small set of specific organizations primarily in the South Asia region” and that it had notified the affected entities directly.

Attack Flow

In the analysis, experts observed that the attacker tried to blend its traffic by accessing the installed webshell through requests to the legitimate file “login.jsp.”

“This might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes”, says Volexity.

The researchers decoded some requests made by the attacker using this webshell and identify the attacker was using the publicly available BEHINDER framework. This was the framework the company believed was leveraged by one or more Chinese APT groups involved in the recent zero-day exploitation of Confluence Servers systems tracked as (CVE-2022-26134).

Further Actions Performed by the Attacker

The Cybersecurity firm identified several other actions performed by the threat actors, which include:

  • The attacker created VPN user accounts and associated certificate pairs on the firewall to facilitate legitimate remote network access.
  • The attacker wrote and executed a file on disk at the following path:

/conf/certificate/pre_install.sh

  • The “pre_install.sh” file runs a malicious command to download a binary, execute it, and then delete it from the disk.

Also, Volexity determined that the attacker was able to access the CMS (content management system) admin pages of the victim organization’s websites with valid session cookies they had hijacked. Researchers say, using these session cookies, the attacker was able to directly access the WordPress admin panel without sending a username and password.

Patch Available

Therefore, Sophos provided patches that automatically address (CVE-2022-1040) as well as mitigations that help organizations using its firewall protect against exploiting the vulnerability. Volexity recommends deploying network security monitoring mechanisms that detect and log traffic from gateway devices. Implement the auditd tool on Unix-based servers for easier investigating compromises.

Vendors or perimeter devices should also provide methods for examining potential compromises. Volexity recommends using a set of YARA rules that could flag suspicious activity from this type of attack.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Multiple Splunk Vulnerabilities Attackers Bypass SPL Safeguards : Patch Now

Splunk Inc. has disclosed two significant vulnerabilities within its software suite, posing a considerable risk…

1 hour ago

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report that highlights…

15 hours ago

C2A Security’s EVSec Risk Management and Automation Platform Gains Automotive Industry Favor as Companies Pursue Regulatory Compliance

In 2023, C2A Security added multiple OEMs and Tier 1s to its portfolio of customers,…

16 hours ago

Apple ID “push bombing” Attack Targeting Apple Users to Steal passwords

Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…

18 hours ago

Hackers Using Weaponized Virtual Hard Disk Files to Deliver Remcos RAT

Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…

18 hours ago

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

23 hours ago