Hackers from China abused a zero-day exploit for a critical-severity vulnerability in Sophos Firewall. They compromised a company and breached cloud-hosted web servers managed by the victim.

The abuse of zero-day

Volexity disclosed an attack from a Chinese APT group, tracked as DriftingCloud. The threat actor has been abusing the CVE-2022-1040 RCE flaw since early March, just three weeks before a patch was released by Sophos.
  • In March, Sophos released a security advisory about this RCE flaw that affects the User Portal and Webadmin of Sophos Firewall.
  • Three days later, the vendor warned and disclosed that cybercriminals were taking advantage of the security flaw to target various organizations in South Asia.

The attackers abused zero-day flaws to compromise the firewall to install webshell backdoors and malware to enable compromising external systems outside the network protected by Sophos Firewall.

More insights

The attacker was using the Behinder framework, which is believed to be used by other Chinese APT groups who exploited the CVE-2022-26134 flaw in Confluence servers.
  • Gaining access to Sophos Firewall is the first step in the attack, which enables a Man-in-the-Middle (MitM) attack by modifying DNS responses for specific websites of the victim firms.
  • The attacker successfully accesses the CMS admin pages using stolen session cookies and subsequently installs a File Manager plugin for manipulating files on the website.

The solution

Sophos has fixed the flaw; provided mitigations to help organizations use their firewall and protect against threat actors abusing the vulnerability.
Cyware Publisher