Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to compromise a company and breach cloud-hosted web servers operated by the victim.
On March 25, Sophos published a security advisory about CVE-2022-1040, an authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.
This week, cybersecurity company Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch.
The adversary used the zero-day exploit to compromise the firewall to install webshell backdoors and malware that would enable compromising external systems outside the network protected by Sophos Firewall.
The researchers say that gaining access to Sophos Firewall was the first step of the attack, allowing the adversary to perform man-in-the-middle activity by way of modifying DNS responses for specific websites managed by the victim company.
Sophos provided hotfixes that address CVE-2022-1040 automatically as well as mitigations that help organizations using its firewall protect against exploiting the vulnerability.