SecurityWeek reports that numerous Sophos XG firewall devices have been infiltrated with the advanced and stealthy Pygmy Goat backdoor, which first appeared in 2022 and not only leverages encrypted ICMP packets for communications but also conceals malicious traffic in the guise of legitimate SSH connections.
Other Linux-based network devices may have also been targeted by Pygmy Goat, as indicated by its utilization of a fake Fortinet certificate, a pair of remote shells, and several communication wake-up techniques, according to a report from the UK's National Cyber Security Centre. "While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic. The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers," said the NCSC. Such an analysis follows a Sophos report detailing the cybersecurity firm's deployment of proprietary implants to monitor and defend against Chinese state-sponsored attackers targeting its products' zero-day vulnerabilities.