A sophisticated Chinese APT caught exploiting a Sophos firewall zero-day to plant backdoors and launch MiTM attacks.
The Sophos firewall vulnerability tracked as CVE-2022-1040 was patched in March this year but only after Volexity intercepted a sophisticated zero-day that exposed Sophos users to RCE attack.
The attack aimed to further breach cloud-hosted web servers hosting the organization’s public-facing websites. This type of attack is rare and difficult to detect.
The attacker was using access to the firewall to conduct MITM attacks, the attack was attributed to DriftingCloud APT group using data collected from these MITM attacks to compromise additional systems outside of the network where the firewall resided.
While gaining access to the target’s Sophos Firewall was likely a primary objective, it appears this was not the attacker’s only objective. The attacker used their access to the firewall to modify DNS responses for specially targeted websites in order to perform MITM attacks.
The modified DNS responses were for hostnames that belonged to the victim organization and for which they administered and managed the content. This allowed attacker to intercept user credentials and session cookies from administrative access to the websites’ content management system.
The Sophos firewall product has been a major target for advanced attackers targeting businesses. If you are the customer of sophos, Patch the vulnerability as soon as possible completely following sophos advisory.
This research and report was conducted and documented by volexity security firm.
Indicators of Compromise