Headline
Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product.
The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution.
The company said it “has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” adding it directly notified these entities.
As a workaround, Sophos is recommending that users take steps to ensure that the User Portal and Webadmin are not exposed to WAN. Alternatively, users can update to the latest supported version -
- v19.5 GA
- v19.0 MR2 (19.0.2)
- v19.0 GA, MR1, and MR1-1
- v18.5 MR5 (18.5.5)
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Users running older versions of Sophos Firewall are required to upgrade to receive the latest protections and the relevant fixes.
The development marks the second time a Sophos Firewall vulnerability has come under active attacks within a year. Earlier this March, another flaw (CVE-2022-1040) was used to target organizations in the South Asia region.
Then in June 2022, cybersecurity firm Volexity shared more details of the attack campaign, pinning the intrusions on a Chinese advanced persistent threat (APT) known as DriftingCloud.
Sophos firewall appliances have also previously come under attack to deploy what’s called the Asnarök trojan in an attempt to siphon sensitive information.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
Code injection vulnerability harnessed in attacks on south Asia
Vendor patches code injection vulnerability harnessed in attacks on south Asia
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan
Sophos XG115w Firewall version 17.0.10 MR-10 suffers from an authentication bypass vulnerability.
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be
Executive summary Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoor The story of this backdoor is rather curious — ther...
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks