YesThe exchange of artifacts and vulnerability exploitation techniques continues to grow CVE-2022-1040.
We see a lot of growing activity in the exchange of artifacts and exploitation techniques aimed at CVE-2022-1040. Most of the stakeholders are Chinese state-sponsored actors. The foregoing increases the concern of future attacks and the growth of new victims in the medium term due to the compromises (with the purpose of remaining hidden) that are being achieved on a significant number of Sophos Firewall systems that to date remain unpatched. ».
There is also a growing interest in exploiting a now patched zero-day vulnerability in Sophos Firewall (as of March). It is known that from the beginning of January 2022 until before being patched in March 2022, many Sophos Firewall systems managed to be compromised mainly in South Asia (in response to China's interest). Recently, observed activities show aggression and compromise in South America. Intelligence data consulted by DefensiONE, observed a third adversary focused on eliminating the Gh0st RAT tool from compromised systems and victims (https://attack.mitre.org/software/S0032/) open source, assumes that this is one of the pieces that adversaries have been using to persist in organizations compromised by this weakness.
If you use a vulnerable or patched Sophos Firewall system in your epremise or cloud ecosystem between March 2022 and today, you should consider the need to track the Gh0st RAT artifact and its recent variations in your ecosystem. If you have not yet applied this patch to your Firewall, please proceed immediately, the adversaries behind these activities are high-value and typically execute large-scale compromises in the monetization stage of achieved persistence, that is, if your organization It is not in the interest of these adversaries, the systems that they manage to compromise will be transferred to extortion-type criminal gangs that use Ransomware and data kidnapping/theft as a means of pressure to achieve their purpose.