Chinese DriftingCloud APT exploited Sophos Firewall Zero-Day before it was fixed

Pierluigi Paganini June 17, 2022

China-linked threat actors exploited the zero-day flaw CVE-2022-1040 in Sophos Firewall weeks before it was fixed by the security vendor.

Volexity researchers discovered that the zero-day vulnerability, tracked as CVE-2022-1040, in Sophos Firewall was exploited by Chinese threat actors to compromise a company and cloud-hosted web servers it was operating.

The vulnerability was exploited by the Chinese attackers to drop a webshell into the target systems weeks before it was fixed by the security vendor.

On March 25, Sophos announced to have fixed the authentication bypass vulnerability, tracked as CVE-2022-1040, that resides in the User Portal and Webadmin areas of Sophos Firewall.

The CVE-2022-1040 flaw received a CVSS score of 9.8 and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier.

“An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.” reads the advisory published by the company.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Sophos Firewall User Portal interface
Source Sophos community

A few days later, Sophos warned that the CVE-2022-1040 flaw is actively exploited in attacks aimed at a small set of Asian organizations.

“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” reads the advisory published by the vendor.

Now researchers from Volexity revealed that a Chinese APT group, tracked as DriftingCloud, exploited the flaw since early March. The threat actors used a zero-day exploit to drop a webshell backdoor and target the customer’s staff.

“This particular attack leveraged a zero-day exploit to compromise the customer’s firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites.” reads the report published by Volexity. “This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature.”

Volexity discovered the intrusion while investigating suspicious traffic originating from the Sophos Firewall to key systems in its customer’s networks. The analysis of the logs revealed significant and repeated suspicious access aimed at a valid JSP file (login.jsp).

Sophos Firewall attack

Further investigation revealed that the threat actors use the Behinder framework, which was employed by other Chinese APT groups in attacks exploiting the recently disclosed CVE-2022-26134 flaw in Confluence servers.

The compromise of the Sophos Firewall was the phase of the attack chain, threat actors later performed man-in-the-middle (MitM) attacks to collect data and use them to compromise additional systems outside of the network where the firewall resided.

“Volexity discovered that the attacker used their access to the firewall to modify DNS responses for specially targeted websites in order to perform MITM attacks. The modified DNS responses were for hostnames that belonged to the victim organization and for which they administered and managed the content. This allowed the attacker to intercept user credentials and session cookies from administrative access to the websites’ content management system (CMS).” states the report.”Volexity determined that in multiple cases, the attacker was able to access the CMS admin pages of the victim organization’s websites with valid session cookies they had hijacked.”

Once gained access to the target webservers, the DriftingCloud APT deployed multiple open-source malware, including PupyRATPantegana, and Sliver.

Volexity researchers shared the indicators of compromise for the attacks and YARA rules to detect the attack pattern.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sophos Firewall)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment