Security News > 2022 > June > Chinese Hackers Exploited Sophos Firewall Zero-Day Flaw to Target South Asian Entity
A sophisticated Chinese advanced persistent threat actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack.
"The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks against the customer's staff," Volexity said in a report.
Now according to Volexity, early evidence of exploitation of the flaw commenced on March 5, 2022, when it detected anomalous network activity originating from an unnamed customer's Sophos Firewall running the then up-to-date version, nearly three weeks before public disclosure of the vulnerability.
"The attacker was using access to the firewall to conduct man-in-the-middle attacks," the researchers said.
"The attacker used data collected from these MitM attacks to compromise additional systems outside of the network where the firewall resided."
The access to session cookies subsequently equipped the malicious party to take control of the WordPress site and install a second web shell dubbed IceScorpion, with the attacker using it to deploy three open-source implants on the web server, including PupyRAT, Pantegana, and Sliver.
News URL
https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html
Related news
- A “cascade” of errors let Chinese hackers into US government inboxes (source)
- Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Palo Alto Networks zero-day exploited since March to backdoor firewalls (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Palo Alto Networks fixes zero-day exploited to backdoor firewalls (source)
- MITRE says state hackers breached its network via Ivanti zero-days (source)
- ArcaneDoor hackers exploit Cisco zero-days to breach govt networks (source)
- Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) (source)
- State-Sponsored Hackers Exploit Two Cisco Zero-Day Vulnerabilities for Espionage (source)