An advanced Chinese APT (Advanced Persistent Threat) actor exploited a critical vulnerability in Sophos’ firewall product that came to light earlier this year to infiltrate an undisclosed South Asian target as part of a highly targeted attack .
“The attacker deploys”[ed] an interesting webshell backdoor, make[d] a secondary form of persistence, and finally launch[ed] attacks on customer staff,” Volexity said in a report. “These attacks were aimed at further breaching cloud-hosted web servers that host the organization’s public websites.”
The zero-day flaw in question is tracked as CVE-2022-1040 (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be used to remotely execute arbitrary code. It affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.
The cybersecurity firm, which released a patch for the flaw on March 25, 2022, noted that it was being misused to “target a small number of specific organizations, mainly in the South Asian region” and that it was targeting affected entities directly. had informed.
According to Volexity, early evidence of abuse of the flaw began on March 5, 2022, when it discovered abnormal network activity coming from an unnamed customer’s Sophos Firewall with the then-up-to-date version, nearly three weeks before the public release. disclosure of the vulnerability.
“The attacker used the firewall access to perform man-in-the-middle (MitM) attacks,” the researchers said. “The attacker used data collected from these MitM attacks to penetrate additional systems outside the network where the firewall was located.”
The infection sequence after the firewall breach further implied that a legitimate piece of security software was backed up with the on the back web shell that can be accessed remotely from any URL of the threat actor’s choice.
Notably, the Behinder web shell was also used by Chinese APT groups earlier this month in a separate series of intrusions that exploit a zero-day flaw in Atlassian Confluence Server systems (CVE-2022-26134).
In addition, the attacker allegedly created VPN user accounts to facilitate remote access before modifying DNS responses for specially targeted websites – primarily the victim’s content management system (CMS) – with the aim of intercepting user credentials and session cookies.
The access to session cookies then allowed the malicious party to take control of the WordPress site and create a second web shell called . could install IceScorpionwhere the attacker uses it to deploy three open-source implants on the web server, including: puppyRAT† panteganaand splinter†
“DriftingCloud is an effective, well-featured and persistent threat actor targeting five poisonsrelated goals. They are able to develop or buy zero-day exploits to achieve their goals, tipping the scales in their favor when it comes to accessing target networks.”