[MART] - Daily Diary #533 - Chinese APT Exploits Sophos Firewall Zero-Day

CTAS-MAT ctas-mat at appgate.com
Fri Jun 17 22:09:32 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/17/2022 - Diary entry #533:

An APT group named DriftingCloud was responsible for exploiting a Zero-Day vulnerability in the Sophos Firewall disclosed back in March this year. Tracked as CVE-2022-1040, it’s an authentication bypass vulnerability discovered in the User Portal and Webadmin of Sophos Firewall allowing remote code execution (RCE).

After breaching the firewall, the attackers installed web shell backdoors and malware to compromise additional systems outside the firewall-protected network. To achieve that, they used the Man-In-The-Middle technique to modify DNS responses and intercept information such as session cookies from administrative accesses. Additionally, the attackers created VPN user accounts for legitimate remote access and time-stomped the web shell to not raise suspicions.

After gaining access to the other systems, the attackers deployed three different malware families, PupyRAT, Pantegana, and Sliver, to establish remote access. They also used the same framework (Behinder framework) that was observed during attacks exploiting the CVE-2022-26134 in Confluence servers (covered recently in our Daily Diary #528).

These recent vulnerabilities exploited by Advanced Persistent Threat groups using stealth techniques reveal that their operation is very sophisticated. Zero-day vulnerabilities are strong evidence that organizations must be prepared and have the means to difficult and detect the attacks. Companies using the mentioned software - and any other popular software solution - must constantly monitor for updates and apply the latest security patches as soon as they are released.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220617/68567961/attachment.htm>

More information about the MART mailing list