CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

NCSC Details ‘Pygmy Goat’ Backdoor Planted on Hacked Sophos Firewall Devices

A stealthy network backdoor found on hacked Sophos XG firewall devices is programmed to work on a broader range of Linux-based devices.

Volt Typhoon botnet

The UK’s National Cyber Security Centre (NCSC) has published technical documentation of a sophisticated network backdoor being planted on hacked Sophos XG firewall devices and warned that the malware was designed for a broader range of Linux-based network devices.

The backdoor, called Pygmy Goat, uses multiple stealthy techniques to maintain persistence and avoid detection and is capable of disguising malicious traffic as legitimate SSH connections.

The backdoor also makes use of encrypted ICMP packets for covert communication and is clearly the work of a very skilled, professional hacking operator.

“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic. The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers,” the NCSC said.

The agency believes the malware was been designed to target a broader range of Linux-based network devices beyond just Sophos firewalls.

The agency said it observed Pygmy Goat malware using a fraudulent certificate masquerading as one from Fortinet, another oft-targeted major firewall vendor. This suggests the attackers may have initially developed the malware to target FortiGate devices before adapting it for Sophos systems, the agency said.

According to the report, the network backdoor has multiple methods of comms wake-up, as well as two separate remote shells that would likely be considered unnecessary effort if the malware had been developed for a specific device. 

It said Pygmy Goat does not rely on any device-specific external libraries and will run on a base Ubuntu distribution. 

Advertisement. Scroll to continue reading.

The agency pointed to recent reporting from Mandiant showing attacks on FortiGate devices with similar TTPs to Pygmy Goat, such as an encrypted ICMP packet containing C2 information being used to establish a reverse SSL connection. 

The exposure comes less than 24 hours after Sophos admitted to using custom implants to spy on Chinese government-backed hackers targeting zero-day flaws in its products.

The Thoma Bravo-owned Sophos described fending off multiple campaigns beginning as early as 2018, each building on the previous in sophistication and aggression. The  attacks included a successful hack of Sophos’ Cyberoam satellite office in India, where attackers gained initial access through an overlooked wall-mounted display unit. An investigation quickly concluded that the Sophos facility hack was the work of an “adaptable adversary capable of escalating capability as needed to achieve their objectives.”

By 2020, Sophos said its threat hunting teams found devices under the control of the Chinese hackers. After legal consultation, the company said it deployed a “targeted implant” to monitor a cluster of attacker-controlled devices.

“The additional visibility quickly allowed [the Sophos research team] to identify a previously unknown and stealthy remote code execution exploit,” the company said.

After initial access, Sophos said it tracked the attackers breaking into devices to deploy payloads for persistence, including the Gh0st remote access Trojan (RAT), a previously unseen rootkit, and adaptive control mechanisms designed to disable hotfixes and avoid automated patches. 

Related: Sophos Used Custom Implants to Surveil Chinese Hackers 

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day

Related: Sophos Warns of Attacks Exploiting Recent Firewall Vulnerability

Related: CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.