Chinese APT groups targeting India, Pakistan and more with Sophos firewall vulnerability

Chinese state-sponsored hackers are targeting organizations and governments in Afghanistan, Bhutan, India, Nepal, Pakistan and Sri Lanka with a now-patched zero-day vulnerability in Sophos Firewall, according to several different cybersecurity companies.

This week, Volexity released a report on CVE-2022-1040 – a Sophos firewall authentication bypass vulnerability patched in March – and said a Chinese APT group they named “Drifting Cloud” was using it to install three open-source malware families, including PupyRAT, Pantegana and Sliver.

Sophos published its own report on the activity and told Volexity that it has observed “organizations primarily in the South Asia region” being attacked. 

Recorded Future’s Inskit Group created its own corresponding report that was more specific, explaining that the threat activity around CVE-2022-1040 “was concentrated in South Asia, in particular government and private sector entities in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka.”

The report notes that multiple state-backed groups from China are exploiting the vulnerability and most likely started exploitation in January. 

“At least 2 distinct suspected Chinese state-sponsored groups were identified exploiting CVE-2022-1040 prior to its discovery. This included TA413, a group we have extensively reported on targeting organizations and individuals associated with the Tibetan government-in-exile,” researchers from Recorded Future’s Inskit Group said. 

“We also identified a newly observed cluster of activity exploiting the vulnerability which we are tracking under the temporary designator TAG-40. Insikt Group identified links between TAG-40 and wider suspected Chinese cyber espionage activity using the longstanding NINEBLOG VBScript backdoor against targets in South Asia. A third, currently unattributed cluster of activity was also observed exploiting the vulnerability to drop the open-source tool Gh0st RAT."

The vulnerability centers on the User Portal and Webadmin of Sophos Firewalls and Volexity said it observed attackers using their access “to modify DNS responses for specially targeted websites in order to perform MITM attacks.”

The modified DNS responses, according to Volexity, were for hostnames that belonged to the victim organization and for which they administered and managed the content of websites. 

“This allowed the attacker to intercept user credentials and session cookies from administrative access to the websites' content management system (CMS),” the researchers explained. 

“Volexity determined that in multiple cases, the attacker was able to access the CMS admin pages of the victim organization's websites with valid session cookies they had hijacked.”

Sophos has contacted each affected organization but noted that no user action is needed for those who have the "Allow automatic installation of hotfixes" feature enabled.