In October 2022, a critical vulnerability was discovered in servers running Sophos Firewall solutions. Early into 2023, this vulnerability continues to be exploited and could pose a significant threat to aerospace manufacturers and suppliers. This vulnerability is the second reported of its kind in 2022, after a similar Sophos exploit was discovered in March 2022, tracked as CVE-2022-1040, where it was reported that an advanced persistent threat targeted Sophos firewalls, leveraging an authentication bypass in the user portal which allowed for remote control execution. The vulnerability was reported to be actively exploited by state-sponsored threat actors targeting manufacturing organizations across South Asia, among other entities.
The newest Sophos vulnerability, tracked as CVE-2022-3236, is a code-injection vulnerability, which yet again affects Sophos Firewalls and can enable remote-control execution. The company disclosed the vulnerability in October 2022, revealing that it had been exposed in the wild and recommending customers issue hotfixes and eventually a patch to remedy the issue.
In the disclosure, Sophos elaborates that exploitation of the vulnerability came from “a series of limited attacks with malware that had unique characteristics,” indicating that there was a concerted effort made by threat actors to covertly infiltrate and exploit affected devices. While Sophos took immediate steps to remediate CVE-2022-3236, around 4,000 devices remain vulnerable to exploitation, which comprises about 6% of all Sophos Firewalls, according to the January publication from VulnCheck. This estimate comes several months after a patch was issued to customers, mentioning that the 4,000-plus devices were too old to receive a hotfix. Analysts note that CVE-2022-3236 has a base criticality score of 9.8 and is deemed critical if left unpatched, according to the NIST National Vulnerability Database.
Among the targeted entities were several South Asian organizations, many of whom may provide manufacturing, distribution and R&D efforts to the aerospace industry. In July of 2022, Sophos continued to bolster their investment into the Association of Southeast Asian Nations (ASEAN), providing security solutions across the 10 countries, including Sophos Firewall. In an analysis of current and future ASEAN supply chain clusters, Boston Consulting Group (BCG) denotes efforts in aerospace and electronic equipment as leading sectors and mentions semiconductors as potential supply chain pivot points. Sophos’ increased footprint within ASEAN-linked and ASEAN-based manufacturing organizations leads to this vulnerability being especially harmful to suppliers using firewalls that may remain exposed due to older configurations that cannot be patched.
Potential motivation for adversaries to exploit this vulnerability could come from the strong manufacturing capabilities and future value propositions, as is the case with ASEAN manufacturing entities. The BSN article states, “ASEAN is currently in a strong export position in sectors such as electronics, aerospace, semiconductors, and packaged foods. There is potential for expansion and for the region to move up the value chain in these sectors.”
This implied movement, coupled with the relatively unexplored, yet vulnerable manufacturing sector could present a motive and entry point for cyberthreat actors to exploit. Sophos includes several metrics in their “State of Ransomware in Manufacturing and Production 2022” report that suggest while manufacturing and production reported the lowest rate of ransomware attacks across all major sectors, (55% of all organizations) the amount of ransom paid was the highest for all sectors (a staggering $2,036,189).
Simply put, the manufacturing and production sector could be a relatively unexplored vector to target space supply chains via vulnerabilities like CVE-2022-3236. Entities looking to continue growth in the manufacturing space, like South Asian companies affiliated with ASEAN, may draw attention from nation states looking to keep a close hold on supply chain dependencies, despite economic and geopolitical limitations.
Read more from Space ISAC.