Friday 30 September 2022, 11:00 - 11:30
Andrew Brandt (Sophos)
In a series of events that began in March 2022, Sophos learned of the bug designated CVE-2022-1040, and discovered that two different APT groups were exploiting the devices to install malware, and exfiltrate sensitive information. It's unclear whether the two groups were coordinating their efforts.
The exploit combined two separate vulnerabilities – an authentication bypass bug, and a command injection bug – that would have required the attacker to have deep knowledge of not-publicly-disclosed APIs and opcodes that are integral to the functioning of the devices. Using these bugs, the attackers launched a chain of commands that resulted in a few different malware families being introduced into the devices.
One APT group deployed two common malware families onto the exploited devices – GoMet and Gh0st RAT – while the other opted to create a bespoke ELF executable malware specifically for the purpose of conducting espionage on the owners' networks. The attackers also hijacked system services and processes running on the devices to listen for, and respond to, specially crafted PING packets, which do not occur 'in nature' and, if received by an infected device, would open a reverse shell back-connection to an IP address of the attacker's choosing.
In this talk we will discuss the technical details of the exploit, the technical details about the common and uncommon malware they deployed, and the techniques and procedures used by the APT actors to evade detection and blend into their network surroundings.
Andrew Brandt is a former investigative reporter turned network forensics investigator and malware analyst, who serves as a principal researcher for Sophos. Brandt has worked in information security since 2006 and, prior to working in the industry, covered it extensively as the security editor for PC World for nearly a decade. He has applied his knowledge about the behaviour of malicious software and threat actors to profile identifiable characteristics of undesirable or criminal activity, specializing in attackers who target the finance, energy, and government sectors. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.