Volexity announced that multiple Chinese advanced persistent threat groups are targeting an organization by leveraging a zero-day exploit to compromise the firewall. According to Volexity’s report, the attackers implemented an interesting webshell backdoor, create a secondary form of persistence, and launch attacks. With the attacks, the hackers are aiming to breach the web servers that are hosting the organization’s website.
Breaching servers
Volexity stated that the method the hackers are using is rare and hard to detect. The hackers are exploiting a flaw tracked as CVE-2022-1040 that has a CVSS score of 9.8. The authentication bypass vulnerability allows attackers to execute arbitrary code remotely, affecting Sophos Firewall version 18.5.3 and earlier. Patch for the flaw was issued on the 25th of March.
Volexity detected anomalous activity from a customer’s Sophos Firewall, through its Network Security Monitoring on March 8. The forensic investigation led to the discovery of a backdoor on the firewall along with evidence of exploitation dating back to March 5. The hacker groups were using access to the firewall to conduct man-in-the-middle attacks. It allows attackers to compromise additional systems outside of the network where the firewall resided, with the collected data. Sophos has published advice on mitigating this vulnerability in their advisory. Specifically, the advisory states the following:
« Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate. There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. Enabled is the default setting. »