BruCON 0x0E

In a series of events that began in March, 2022, Sophos learned of the bug designated CVE-2022-1040, and discovered that two different APT groups were exploiting the devices to install malware, and exfiltrate sensitive information. It's unclear whether the two groups were coordinating their efforts.

The exploit combined two separate vulnerabilities - an authentication bypass bug, and a command injection bug - that would have required the attacker to have deep knowledge of not-publicly-disclosed APIs and opcodes that are integral to the functioning of the devices. Using these bugs, the attackers launched a chain of commands that resulted in a few different malware families being introduced into the devices.

One APT group deployed two common malware families onto the exploited devices - GoMet and Gh0st RAT - while the other opted to create a bespoke ELF executable malware specifically for the purpose of conducting espionage on the owners' networks. The attackers also hijacked system services and processes running on the devices to listen for, and respond to, specially crafted PING packets, which do not occur "in nature" and, if received by an infected device, would open a reverse shell back-connection to an IP address of the attacker's choosing.

In this talk we will discuss the technical details of the exploit, the technical details about the common and uncommon malware they deployed, and the techniques and procedures used by the APT actors to evade detection and blend in to their network surroundings.