Chinese Hackers Abuse Zero-day Bug in Sophos Firewall

A zero-day attack for a critical-severity vulnerability in Sophos Firewall was leveraged by Chinese hackers. They infiltrated a corporation and gained access to the victim’s cloud-hosted web servers. A Chinese APT group known as DriftingCloud launched an attack, according to Volexity. Since early March, the threat actor has been exploiting the CVE-2022-1040 RCE bug, barely three weeks before Sophos released a patch.

Sophos Firewall’s User Portal and Webadmin are also affected by this RCE bug, according to a security alert released in March. Three days later, the vendor issued a warning and revealed that fraudsters were exploiting the security hole to target several South Asian enterprises. The attackers used zero-day flaws in the firewall to install webshell backdoors and malware, allowing them to infiltrate systems outside the Sophos Firewall network. Read More…