Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label South Asia. Show all posts
Zero-day Flaw
Chinese Actors Firewall South Asia Vulnerabilities and Exploits Zero-day Flaw

Chinese Attackers Abused Sophos Firewall Zero-Day Bug to Target South Asian Organizations

 

Chinese hackers exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate multiple organizations in the South Asia region. 

The security bug has been patched in the meantime but multiple hackers continued to exploit it to bypass authentication and run arbitrary code remotely on several organizations. 

On March 25, Sophos issued a security patch about CVE-2022-1040, an authentication bypass flaw that affects the User Portal and Webadmin of Sophos Firewall and could be weaponized to implement arbitrary code remotely. 

Earlier this week, Volexity researchers detailed an assault from a Chinese APT group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a webshell backdoor and target the customer’s staff. 

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads a blog post published by Volexity researchers. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.” 

The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall. Volexity spotted the breach while investigating suspicious traffic generated from the Sophos Firewall to key systems in its customer’s networks. The examination of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp). 

Further investigation disclosed that the hackers were using the Behinder framework, which was employed by other Chinese APT groups in assaults abusing the recently disclosed CVE-2022-26134 vulnerability in Confluence servers. 

The exploitation of the Sophos Firewall was the first stage of the attack chain, APT group later launched man-in-the-middle (MitM) assaults to steal data and use them to exploit additional systems outside of the network where the firewall resided. Once secured access to the target webservers, the hackers installed multiple open-source malware, including PupyRAT, Pantegana, and Sliver.
Read more »
South Asia
APT Group Black hat Cyber Attacks Sophisticated Assaults South Asia

SideWinder Launched Nearly 1000 Assaults in Two Years

 

The South Asian APT organization SideWinder has been on a tear for the past two years gone, launching nearly 1,000 raids and deploying increasingly sophisticated assault techniques. 

Earlier this week, Noushin Shaba, a senior security researcher at Kaspersky shared her findings at the Black Hat Asia conference regarding SideWinders’ attacking methodologies. The APT group primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries.

SideWinder has been active since at least 2012 and primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry, and Legal firms. Some of their newly registered domains and spear-phishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions. 

SideWinder has become one of the planet's most prolific hacking groups by expanding the geography of its targets to other countries and regions. However, the reason behind its expansion remains unknown. 

Last year, the group deployed new obfuscation techniques for the JavaScript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.

Threat actors even ran two versions of its obfuscation techniques over several months, and appear to have shifted from an older and less stealthy version to its current malware. SideWinder also exchanges domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well. 

In January 2020, Trend Micro researchers revealed that they had unearthed SideWinder exploiting a zero-day local privilege-escalation vulnerability (CVE-2019-2215) that affected hundreds of millions of Android users when it was first published. 

“I think what really makes them stand out among other APTs [advanced persistent threat] actors are the big toolkit they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure. I have not seen 1,000 attacks from a single APT from another group until further,” Shaba stated.
Read more »
Subscribe to: Posts (Atom)