Sophos Firewall zero-day fejl udnyttet uger før rettelse

En sårbarhed i Sophos Firewall, først opdaget i slutningen af marts og rettet soon afterwards, was being exploited by a Chinese advanced persistent threat (APT), in the weeks before the patch was released, reports have revealed.

Researchers from cybersecurity firm Volexity, the threat actor, known as DriftingCloud, exploited the CVE-2022-1040 since early March, against a number of unnamed entities. It used it to bypass authentication, and run arbitrary code on the victims’ endpoints. The flaw affects the User Portal and Webadmin of Sophos Firewall, and the threat actors managed to install webshell backdoors and other malware.

At the moment of discovery, the compromise was still active, and the threat actor was still moving around the network, giving the researchers a unique insight into the operation of an APT. The conclusion of that observation is that the group was “sophisticated” and that it made a valiant effort to remain undetected.

Stage two malware

Among other things, the group blended its traffic by accessing the installed webshell through requests to the legitimate file “login.jps”, BleepingComputer reported.

“At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes,” Volexity explained in its writeup.

After accessing the target network, the threat actor moved to install three distinct malware families – PupyRAT, Pantegana, and Sliver. All three are used for remote access, and are publicly available.

The fix for CVE-2022-1040 has been available for months now, and users are advised to patch up immediately, given that its severity score is 9.8.

It’s been a busy quarter for the Sophos team, which recently fixed two high severity vulnerabilities in Sophos Unified Threat Management appliances: CVE-2022-0386 and CVE-2022-0652.

Sophos er en UK-baseret softwareudvikler til cybersikkerhed og netværkssikkerhed, der hovedsageligt fokuserer på sikkerhedssoftware til organisationer med op til 5,000 ansatte. Det blev grundlagt i 1985, men drejede sig mod cybersikkerhed i slutningen af 1990'erne.

I 2019 blev det opkøbt af det amerikansk-baserede private equity-selskab, Thoma Bravo, for cirka 3.9 milliarder USD (7.40 USD pr. aktie).

via: BleepingComputer (åbner i ny fane)

Kilde

Forrige indlæg

Næste post

Sophos Firewall zero-day fejl udnyttet uger før rettelse

Must-have software i 2024

Topkategorier

Seneste anmeldelser

Samsung Galaxy Z Flip 5 Teaser-video, forud for Galaxy Unpacked Event, viser nyt hængseldesign, farvemuligheder

Twitter begrænser antallet af DM'er, ubekræftede brugere kan sende

Min yndlings Android-telefon kan gøre ting, som min iPhone 14 Pro Max ikke kan

ChatGPT til Android lanceres i næste uge, og du kan forhåndsregistrere dig nu

Xiaomi Smart TV 32A, Smart TV 40A, Smart TV 43A med Google TV, 20W højttalere lanceret i Indien: : Pris, specifikationer

Dette spiselige batteri kan drive verden af diagnostik og bæredygtig energi

Sophos Firewall zero-day fejl udnyttet uger før rettelse

Must-have software i 2024

Topkategorier

Seneste anmeldelser

Samsung Galaxy Z Flip 5 Teaser-video, forud for Galaxy Unpacked Event, viser nyt hængseldesign, farvemuligheder

Twitter begrænser antallet af DM'er, ubekræftede brugere kan sende

Min yndlings Android-telefon kan gøre ting, som min iPhone 14 Pro Max ikke kan

ChatGPT til Android lanceres i næste uge, og du kan forhåndsregistrere dig nu

Xiaomi Smart TV 32A, Smart TV 40A, Smart TV 43A med Google TV, 20W højttalere lanceret i Indien: : Pris, specifikationer

Dette spiselige batteri kan drive verden af ​​diagnostik og bæredygtig energi

Dette spiselige batteri kan drive verden af diagnostik og bæredygtig energi