Where data is home
Where Data is Home

Sophos Zero-Day Flaw: Chinese Hackers Exploit Backdoor

Data Breaches
By Editor
Network Breach Analysis
0 39

The recent exploitation of a zero-day flaw in Sophos, a prominent cybersecurity company, by Chinese hackers has raised concerns regarding the security of South Asian businesses. The attack, which was detected by Volexity, targeted cloud-hosted web servers and compromised the customer’s firewall, allowing the hackers to establish a backdoor into the systems. The responsible party has been identified as the Chinese APT group DriftingCloud, known for its sophisticated cyber operations. The attackers employed various techniques, including disguising traffic and utilizing the BEHINDER framework associated with Chinese APT groups. Their actions involved creating VPN user accounts, executing malicious files, and gaining unauthorized access to content management systems and WordPress admin panels. Sophos responded swiftly by releasing a patch for the vulnerability (CVE-2022-1040) and providing mitigations to prevent further exploitation. They emphasized the importance of network security monitoring and advised organizations to implement the necessary security measures and staff training programs. The incident underscores the need for South Asian organizations to enhance their cybersecurity measures in order to protect their systems and data from similar attacks.

Key Takeaways

  • Chinese hackers targeted South Asian companies and breached their cloud-hosted web servers.
  • The attack was attributed to the Chinese APT group DriftingCloud and they exploited a zero-day vulnerability (CVE-2022-1040) in Sophos.
  • The attacker used various techniques such as disguising traffic, brute-force login attempts, and the BEHINDER framework linked to Chinese APT groups.
  • Sophos released patches for the vulnerability and recommended deploying network security monitoring mechanisms, implementing security measures for firewalls, and regularly monitoring and auditing network activity.

Sophos Zero-day Flaw: Chinese Hackers Exploit Backdoor

Chinese hackers exploited a zero-day flaw in Sophos, allowing them to implement a backdoor and compromise the customer’s firewall, as detected by Volexity during a sophisticated attack targeting South Asian companies. This incident highlights the impact on cybersecurity measures and underscores the importance of network monitoring. The attack demonstrated the need for enhanced security measures, as the hackers were able to bypass authentication and execute arbitrary code remotely. The breach of cloud-hosted web servers and potential compromise of public-facing websites further emphasized the vulnerability of organizations to cyber attacks. Sophos promptly released a patch to resolve the vulnerability and notified affected entities directly. To prevent similar incidents, organizations are advised to deploy patches and updates, implement security measures for firewalls, regularly monitor and audit network activity, provide training and awareness programs for staff, and collaborate with cybersecurity experts.

Attack by Chinese APT group

The APT group, responsible for the attack, leveraged a zero-day vulnerability and conducted various malicious activities. The detection methods employed by security firm Volexity helped identify the anomalous activity and the presence of a backdoor on the compromised firewall. The attribution of the attack was made to the Chinese APT group known as DriftingCloud. This group has been previously associated with sophisticated cyber-espionage campaigns targeting various organizations. The attackers utilized the BEHINDER framework, which has been linked to Chinese APT groups in the past. The attack flow involved disguising traffic using legitimate file requests and brute-force login attempts. The exploitation of the Confluence Servers systems vulnerability (CVE-2022-26134) was another technique employed by the attackers. Overall, the APT group exhibited advanced tactics and techniques, highlighting the importance of robust detection mechanisms and attribution efforts in combating such cyber threats.

Attack flow and techniques

Utilizing various techniques and tools, the attackers employed disguised traffic, brute-force login attempts, and the exploitation of known vulnerabilities to carry out their sophisticated cyber-espionage campaign. The attackers disguised their traffic by using legitimate file requests, making it difficult to detect their malicious activities. Additionally, they carried out brute-force login attempts, attempting to gain unauthorized access to the target systems. Furthermore, the attackers specifically targeted Confluence Servers systems, exploiting the vulnerability (CVE-2022-26134) to gain unauthorized access. This vulnerability allowed the attackers to bypass authentication and execute arbitrary code remotely. By leveraging these techniques and vulnerabilities, the attackers were able to infiltrate and compromise their target systems, facilitating their ability to conduct further malicious activities.

Actions performed by the attacker

To facilitate remote network access, the attacker executed a series of actions, including the creation of VPN user accounts on the compromised firewall, the execution of a malicious file on the compromised system’s disk, and gaining direct access to CMS admin pages and WordPress admin panel without credentials. These actions allowed the attacker to establish persistent access and carry out further malicious activities.

The following table provides a summary of the actions performed by the attacker:

Actions Performed by the Attacker
1. Creation of VPN user accounts on the compromised firewall
2. Execution of a malicious file on the compromised system’s disk
3. Access to CMS admin pages using hijacked session cookies
4. Direct access to WordPress admin panel without credentials
5. Multiple actions to facilitate remote network access

These actions highlight the sophisticated nature of the attack and the attacker’s efforts to maintain control over the compromised systems. By creating VPN accounts and executing malicious files, the attacker gained unauthorized access and could manipulate the compromised systems for their malicious purposes. It is crucial for organizations to implement robust security measures and regularly monitor and audit network activity to detect and prevent such attacks.

Patch and mitigations by Sophos

Patch and mitigation measures were implemented by the affected organization in response to the identified vulnerability, aiming to address and protect against potential exploitation. Sophos, the software security company, released patches for the zero-day flaw (CVE-2022-1040) and provided mitigations to protect against vulnerability exploitation. To enhance network security, Sophos recommended the deployment of network security monitoring mechanisms and the implementation of the auditd tool on Unix-based servers. Furthermore, vendors and perimeter devices were advised to offer methods for examining compromises. These measures aimed to detect and log traffic from gateway devices, identify potential compromises through the use of YARA rules, and enhance overall network protection. The importance of network security monitoring was emphasized for organizations to ensure the detection and investigation of compromises. Overall, the implementation of these patch and mitigation strategies by Sophos played a crucial role in addressing the zero-day flaw and mitigating its impact on affected organizations‘ cybersecurity measures.

Frequently Asked Questions

How did the Chinese hackers gain access to the South Asian companies‘ systems?

The Chinese hackers gained access to the South Asian companies‘ systems through various methods and techniques. These included exploiting a zero-day flaw in Sophos software, conducting man-in-the-middle attacks, and using the BEHINDER framework to exploit vulnerabilities in Confluence Servers systems.

What other activities were detected by Volexity during the attack besides the backdoor on the firewall?

Volexity detected additional activities during the attack, including the exploitation of Confluence Servers systems (CVE-2022-26134) and the use of the BEHINDER framework. Sophos recommends implementing mitigations and network security monitoring mechanisms to protect against vulnerability exploitation.

How did the attacker disguise their traffic using legitimate file requests?

The attacker disguised their traffic using legitimate file requests by making their malicious activities appear as normal file downloads or uploads. This method allows them to blend in with legitimate network traffic and avoid detection.

What specific actions did the attacker take to facilitate remote network access?

The attacker took several actions to facilitate remote network access. These actions included creating VPN user accounts, executing a malicious file, accessing CMS admin pages using hijacked session cookies, and gaining direct access to the WordPress admin panel without credentials. These techniques allowed the attacker to gain control over the network remotely.

Besides deploying network security monitoring mechanisms, what other mitigations does Sophos recommend to protect against the vulnerability exploitation?

In addition to deploying network security monitoring mechanisms, Sophos recommends securing endpoints and implementing effective patch management to protect against vulnerability exploitation. These measures help ensure the integrity and security of the system.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More