A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos’ firewall product that came to public attention earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.
Volexity said in a report, “the attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer’s staff… These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.”
The zero-day flaw is tracked as CVE-2022-1040 (CVSS score: 9.8), and concerns an authentication bypass vulnerability that can be weaponised to execute arbitrary code remotely. The flaw affects Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.
Volexity issued a patch for the flaw on 25th March 2022. They noted that the flaw was abused to “target a small set of specific organisations primarily in the South Asia region” and that it had notified the affected entities directly.
According to the cybersecurity firm, evidence of exploitation of the flaw commenced on 5th March 2022, when it detected anomalous network activity origionating from an unnamed customer’s Sophos Firewall running the then up-to-date version. Nearly three weeks later the vulnerability was disclosed to the public.
Volexity said, “the attacker was using access to the firewall to conduct man-in-the-middle (MitM) attacks… The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided.”
The infection sequence post the firewall breach further entailed backdooring a legitimate component of the security software with the Behinder web shell that could be remotely accessed from any URL.
The Behinder web shell was also leveraged earlier this month by Chinese APT groups in a separate set of intrusions exploiting a zero-day flaw in Atlassian Confluence Server systems (CVE-2022-26134).
The attacker is said to have created VPN user accounts to facilitate remote access. They then modified DNS reponses for specially targeted websites, primarily the victim’s content management system (CMS) with the goal of intercepting session cookies and user credentials.
The access to session cookies equipped the malicious party to take control of the WordPress site and install a second web shell named IceScorpion, with the attacker using it to deploy three open-source implants on the web server, including PupyRAT, Pantegana, and Silver.
“DriftingCloud is an effective, well equipped, and persistent threat actor targeting five poisons-related targets. They are able to develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favour when it comes to gaining entry to target networks.”