BruCON 0x0E has ended
Friday, September 30 • 17:00 - 17:30
Your Own Personal Panda: Inside the CVE-2022-1040 attack

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In a series of events that began in March, 2022, Sophos learned of the bug designated CVE-2022-1040, and discovered that two different APT groups were exploiting the devices to install malware, and exfiltrate sensitive information. It's unclear whether the two groups were coordinating their efforts.

The exploit combined two separate vulnerabilities - an authentication bypass bug, and a command injection bug - that would have required the attacker to have deep knowledge of not-publicly-disclosed APIs and opcodes that are integral to the functioning of the devices. Using these bugs, the attackers launched a chain of commands that resulted in a few different malware families being introduced into the devices.

One APT group deployed two common malware families onto the exploited devices - GoMet and Gh0st RAT - while the other opted to create a bespoke ELF executable malware specifically for the purpose of conducting espionage on the owners' networks. The attackers also hijacked system services and processes running on the devices to listen for, and respond to, specially crafted PING packets, which do not occur "in nature" and, if received by an infected device, would open a reverse shell back-connection to an IP address of the attacker's choosing.

In this talk we will discuss the technical details of the exploit, the technical details about the common and uncommon malware they deployed, and the techniques and procedures used by the APT actors to evade detection and blend in to their network surroundings.

avatar for Craig Jones

Craig Jones

Craig leads Sophos’ Global Security Operations Center, focussing on automation and sophisticated detection to protect Sophos Infrastructure, Applications and Users. He leads a world class team of Security engineers and incident responders tackling cyberthreats to Sophos and cus... Read More →

Friday September 30, 2022 17:00 - 17:30 CEST
01. Gouden Carolus