"Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor"

A China-aligned Advanced Persistent Threat (APT) actor known as TA413 used recently disclosed flaws in Sophos Firewall and Microsoft Office to launch a new backdoor named LOWZERO as part of an espionage campaign targeting Tibetan entities. LOWZERO can receive additional modules from its command-and-control (C2) server, but only if the compromised machine is deemed of interest to the threat actor. Organizations associated with the Tibetan community, including enterprises related to the Tibetan government-in-exile, were the primary targets. CVE-2022-1040 and CVE-2022-30190, also known as "Follina," two Remote Code Execution (RCE) vulnerabilities in Sophos Firewall and Microsoft Office, were used in the intrusions. Since at least 2020, TA413, also known as LuckyCat, has been targeting organizations and individuals associated with the Tibetan community with malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed FriarFox. This article continues to discuss the TA413 APT exploiting RCE vulnerabilities in Sophos Firewall and Microsoft Office to deploy the LOWZERO backdoor as part of a campaign targeting Tibetan entities. 

THN reports "Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor"