Sophos Firewall zero-day bug exploited weeks before fix

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

A vulnerability in the Sophos Firewall, first discovered in late March and patched soon afterwards, was being exploited by a Chinese advanced persistent threat (APT), in the weeks before the patch was released, reports have revealed.

Researchers from cybersecurity firm Volexity, the threat actor, known as DriftingCloud, exploited the CVE-2022-1040 since early March, against a number of unnamed entities. It used it to bypass authentication, and run arbitrary code on the victims’ endpoints. The flaw affects the User Portal and Webadmin of Sophos Firewall, and the threat actors managed to install webshell backdoors and other malware.

At the moment of discovery, the compromise was still active, and the threat actor was still moving around the network, giving the researchers a unique insight into the operation of an APT. The conclusion of that observation is that the group was “sophisticated” and that it made a valiant effort to remain undetected. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Stage two malware

Among other things, the group blended its traffic by accessing the installed webshell through requests to the legitimate file “login.jps”, BleepingComputer reported.

“At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes,” Volexity explained in its writeup.

After accessing the target network, the threat actor moved to install three distinct malware families - PupyRAT, Pantegana, and Sliver. All three are used for remote access, and are publicly available.

The fix for CVE-2022-1040 has been available for months now, and users are advised to patch up immediately, given that its severity score is 9.8. 

It’s been a busy quarter for the Sophos team, which recently fixed two high severity vulnerabilities in Sophos Unified Threat Management appliances: CVE-2022-0386 and CVE-2022-0652.

Sophos is a UK-based cybersecurity and network security software developer, focused mostly on security software for organizations with up to 5,000 employees. It was founded in 1985, but pivoted towards cybersecurity in the late 1990s.

In 2019, it was acquired by US-based private equity firm, Thoma Bravo, for approximately $3.9 billion ($7.40 per share).

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The best free firewall
Sophos hotfixes remote code execution vulnerabilities in Firewall
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
vpn
Ivanti warns another critical security flaw is being attacked
The best free firewall
Palo Alto Networks PAN-OS sees authentication bypass under attack from hackers
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
Latest in Security
ransomware avast
Ransomware attacks are costing Government offices a month of downtime on average
Lock on Laptop Screen
Data breach at Pennsylvania education union potentially exposes 500,000 victims
Data leak
Top collectibles site leaks personal data of nearly a million users
Spyware
Stalkerware data breach potentially hits over 2 million users, including thousands of Apple devices
An American flag flying outside the US Capitol building against a blue sky
Five Eyes "cannot replace US intel in Ukraine", claims former US Cyber Command Chief
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Latest in News
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge benchmark leak has eased my worries about its performance
Google Pixel 9 in green Wintergreen color showing AI features on screen
Older Pixels just got a big performance boost, while the Pixel 9a is lacking a key feature
Wonka poster
Netflix cooks up sweet new reality TV series based on Charlie and the Chocolate Factory, and it's a dream come true for me
Citroen 2CV
The retro EV resurgence is in full swing, as Citroen confirms the iconic 2CV will return with batteries
Hugging Snap
This AI app claims it can see what I'm looking at – which it mostly can
Apple iPhone 16 Pro Max REVIEW
The latest batch of leaked iPhone 17 dummy units appear to show where glass meets metal on the new designs