On June 16, 2022, RiskIQ detected a malicious .zip file hosted on Discord’s Content Delivery Network (CDN). The .zip file dropped an executable which appears to download another payload hosted at a Middle Eastern energy company’s website which was likely compromised in early June 2022.
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
Earlier this year, Volexity detected a sophisticated attack against a customer that is heavily targeted by multiple Chinese advanced persistent threat (APT) groups. This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.