Hackers exploited a vulnerability in Sophos firewalls 3 weeks before the fix


This week, the information security company Volexity released
a report according to which a critical zero-day vulnerability in Sophos firewalls was exploited by Chinese hackers a few weeks before the release of the fix.

On March 25, 2022, Sophos published a security notice about the vulnerability of bypassing authentication CVE-2022-1040 in the User Portal and Webadmin of Sophos firewalls, allowing remote code execution on a vulnerable system. Three days later, the company announced that cybercriminals were already exploiting it in attacks on organizations in South Asian countries.

Now, Volexity researchers have told about the attacks of the Chinese APT group DriftingCloud, which has been exploiting this vulnerability since the beginning of March 2022. That is, hackers armed themselves with it at least three weeks before the release of the fix.

According to the researchers, in March they recorded malicious activity involving the Sophos firewall in the network of one of Volexity’s clients. As it turned out, the attackers hacked the firewall in order to install web shells (backdoors) and malware that allows compromising external systems outside the network protected by the Sophos firewall.

When Volexity began its investigation, the hackers were still active, and researchers could track their every move. The attackers tried to hide their traffic by accessing web shells using requests to the legitimate login.jsp file.

Digging deeper, the researchers found that hackers used the Behinder framework, which is also used by other Chinese APT groups exploiting the vulnerability CVE-2022-26134 in Confluence servers.

According to experts, gaining access to the Sophos firewall was the first stage of the attack, thanks to which attackers could carry out man-in-the-middle attacks by modifying DNS responses for certain websites managed by the attacked company. This allowed them to intercept user credentials and cookies for administrative access to the content management system (CMS).

Having gained access to the administration pages, hackers installed the File Manager plugin to manage site files (upload, upload, delete, edit). Having access to the web server, DriftingCloud installed Trojans for remote access PupyRAT, Pantegana and Sliver.