Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses.
Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25.
Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.
According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located."
Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.
Securing web server access
Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack:
- The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies.
- Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website.
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.