Security News > 2020 > February > State-Sponsored Cyberspies Use Sophisticated Server Firewall Bypass Technique
A threat actor - likely a state-sponsored cyberespionage group - has used a sophisticated technique to allow a piece of malware hosted on a server to communicate with command and control servers through a firewall.
It's unclear exactly how the attackers planted the malware, but researchers believe they may have accessed the server through a dictionary attack on an exposed SSH port.
The backdoor, which the attackers could have used to steal sensitive data from the targeted entity, communicated with the C&C server through the rootkit.
In order to bypass the server's firewall, the attackers disguised C2 traffic as legitimate traffic.
"In order to get around the firewall rules, the attackers communicate with the rootkit by sending innocent-looking requests to the web server on the normal web server ports. A listener that inspects inbound traffic before it reaches the web server intercepts the specially-crafted requests, and sends instructions to the malware based on characteristics of those requests," explained Sergei Shevchenko, threat research manager at Sophos.