Sophos Firewall zero-day flaw was already exploited by hackers

Chinese hackers targeted South Asian Entity weeks before the Sophos zero-day bug got fixed

Flaw exploited before the patchSophos Firewall zero-day flaw was exploited weeks before the fix

Hackers used the zero-day exploit for the critical-severity flaw in Sophos Firewall. Criminals used the flaw to compromise a South Asian company and breached cloud-hosted web servers.[1] The issue has been fixed after that, but threat actors managed to exploit the security vulnerability to bypass authentication and run arbitrary code remotely to attack various organizations.[2]

Sophisticated Chinese advanced persistent threat actors exploited the critical security flaw in Sophos' firewall product. This flaw came to light earlier this year, and the hacker gang managed to abuse it to infiltrate an unnamed South Asian target as part of a highly-targeted attack.[3]

Sophos issued a security advisory a few months back to inform about the CVE-2022-1040.[4] The authentication bypass vulnerability affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute commands remotely. This week, cybersecurity researchers detailed the attack held by Chinese ATP tracked as DriftingCloud. These attacks happened three weeks before the patch was released by Sophos.

Attacker backdoored Sophos Firewall

These Chinese attackers implemented the interesting web shell backdoor, created a secondary form of persistence, and ultimately launched attacks against the customer's staff. These particular campaigns were aimed to breach the cloud-hosted web servers hosting the public-facing sites of the organization. Attackers used the access to conduct the MITM attacks then.

As Volexity reports,[5] those stolen session cookies were later used to compromise other servers outside of the firewalled network. The investigation started when threat actors were still actively running their campaigns. Researchers managed to monitor these steps of the attack and revealed how the APT actors managed to remain undetected.

At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes

The team noted that attackers also tried to blend the traffic by accessing the installed web shell via requests to the legitimate login.jsp file. Also, researchers found that attackers managed to use the Behinder framework that was used by other Chinese APT groups before.

Taking the actions further once the access is gained

Researchers found more malicious activities that helped the threat actors to take their attack much further. VPN user account creation and associating certificate pairs on the firewall for the legitimate remote network access, running malicious commands to download the binary code, execute it and delete it from the disk.

Gaining access to the Sophos Firewall was only the first step in this attack chain. This way, hackers could perform those man-in-the-middle attacks by modifying DNS responses for the particular websites managed by the company. Attackers could intercept user credentials and session cookies for administrative access to those websites and content management systems.

They were successful with these attacks because CMS admin pages were accessed, and the File Manager plugin got installed for handling files on the website. Threat actors could upload, download, delete, or edit files. DriftingCloud hackers also abused other malware and installed PupyRat, Pantegana, and Sliver. These viruses are used for remote access and are publicly available for download.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions