Chinese APT groups targeting India, Pakistan and more with Sophos firewall vulnerability

According to several different cybersecurity companies, Chinese state-sponsored hackers are targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka with zero-day vulnerability now patched in Sophos firewall.

This week, Volexity published a report on CVE-2022-1040 – a Sophos firewall authentication bypass vulnerability patched in March – and said that a Chinese APT group called “Drifting Cloud” was using it to install three families of open-source malware, including PupyRAT, Pantegana, and Sliver.

Sophos released its own report on the activity and told Volexity that it observed “organizations primarily in the South Asia region” being attacked.

Recorded Future’s Inskit group created its own corresponding report which was more specific, explaining that threat activity around CVE-2022-1040 “was concentrated in South Asia, particularly government and private sector entities in Afghanistan. , Bhutan, India, Nepal, Pakistan, and Sri Lanka.

The report notes that several Chinese state-backed groups are exploiting the vulnerability and most likely began exploiting in January.

“At least 2 separate Chinese state-sponsored suspicious groups were identified exploiting CVE-2022-1040 prior to its discovery. This included TA413, a group we have talked about extensively targeting organizations and individuals associated with the government exiled Tibetan,” said researchers from Recorded Future’s Inskit group.

“We have also identified a newly observed cluster of activity exploiting the vulnerability that we are tracking under the temporary callsign TAG-40. The Insikt group has identified links between TAG-40 and suspected broader Chinese cyber espionage activity using long-running NINEBLOG VBScript backdoor against targets in South Asia A third, currently unattributed, activity group has also been observed exploiting the vulnerability to remove the open-source Gh0st RAT tool.

The vulnerability is centered on the user portal and the web administrator for Sophos Firewalls and Volexity said he observed attackers using their access “to modify DNS responses of specially targeted websites to perform MITM attacks”.

The modified DNS responses, according to Volexity, were for hostnames owned by the victim organization and for which it administered and managed website content.

“This allowed the attacker to intercept user credentials and session cookies from the administrative access to the content management system (CMS) of websites,” the researchers explained. .

“Volexity determined that in several cases, the attacker was able to access the CMS administration pages of the victim organization’s websites with valid session cookies that they had hacked.”

Sophos has contacted each affected organization but noted that no user action is required for those who have enabled the “Allow automatic installation of patches” feature.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.