A Sophos customer's network was attacked by hackers exploiting a critical zero-day RCE vulnerability. A patch update for the firewall product was released immediately by the security software company in response.

Exploiting the bug

The issue, tracked as CVE-2022-3236, affects Sophos Firewall vulnerability v19.0 MR1 (19.0.1) and older. It concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. This security hole has been abused to target a small number of specific organizations, predominantly in South Asia.

Fixing the bug

  • Sophos recommends that users avoid exposing the User Portal and Webadmin to the WAN as a workaround. Alternatively, users can update to the latest supported versions.
  • Sophos Firewall users running older versions are required to upgrade to receive the latest protections and fixes.

The attack marks the second time a Sophos Firewall vulnerability has been exploited in a year. A second flaw (CVE-2022-1040) was exploited earlier this month to target organizations in South Asia.

More details

A Chinese advanced persistent threat (APT) known as DriftingCloud was identified as the source of the APT attack campaign in June 2022. This identification and revelation were made by APT cybersecurity firm Volexity.

Previously, Sophos firewall appliances have been hacked with a trojan called Asnarök in an attempt to steal sensitive data.
Cyware Publisher