Threat analysis by The RabitaNoor (RBTN) Cyber Research Center

Chinese APT Groups Exploit Sophos Firewall Vulnerability in South Asia

The goals of this document is to provide technical and strategic analysis of a much larger document, audio etc.

The document is a product of the RBTN - CYOI Pulpit

Photo by Yeshi Kangrang

Document Summary

Chinese state-sponsored hackers, including groups like Drifting Cloud, are targeting organizations in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka using a now-patched zero-day vulnerability in Sophos Firewall (CVE-2022-1040). Reports from Volexity, Sophos, and Recorded Future's Insikt Group highlight the exploitation of this vulnerability, which was patched in March 2022. The attackers, including groups like TA413 and a newly identified cluster TAG-40, have been using this vulnerability to install malware such as PupyRAT, Pantegana, and Sliver. The attacks involve modifying DNS responses to perform MITM attacks, allowing interception of user credentials and session cookies. Sophos has contacted affected organizations, noting that no user action is needed for those with automatic hotfix installation enabled.

Analysis

Overview

Timestamp: 2022-06-17

Title: Chinese APT Groups Exploit Sophos Firewall Vulnerability in South Asia

Severity: High

The incident involves Chinese state-sponsored groups exploiting a Sophos firewall vulnerability (CVE-2022-1040) to target organizations in South Asia. The adversaries, including Drifting Cloud, TA413, and TAG-40, demonstrate high sophistication and motivation for cyber espionage. They employ capabilities such as malware installation and MITM attacks, leveraging compromised infrastructure to intercept sensitive data from government and private sector entities.