A vulnerability in Sophos' firewall, first discovered in late March and patched soon after, was being exploited by a Chinese advanced persistent threat (APT) in the weeks before the patch was released, reports reveal.

Researchers at cybersecurity firm Volexity, the threat actor, known as DriftingCloud, has been exploiting CVE-2022-1040 since early March against various anonymous entities. He used it to bypass authentication and execute arbitrary code on victims' terminals. The flaw affects the Sophos Firewall and Web Admin user portal, and threat actors managed to install Webshell backdoors and other malware.

At the time of discovery, the compromise was still active and the threat actor was still moving around the network, giving researchers a unique insight into how an APT works. The takeaway from this sighting is that the group was "sophisticated" and made a valiant effort not to be detected.

Second stage malware

Among other things, the group mixed their traffic by accessing the installed webshell through requests to the legitimate "login.jps" file, reported BleepingComputer.

“At first glance, this might appear to be a brute-force login attempt rather than a backdoor interaction. The only real things that were out of the ordinary in the log files were benchmarks and dongles. 'Response status, Volexity explained in his article.

After gaining access to the target network, the threat actor decided to install three separate malware families: PupyRAT, Pantegana, and Sliver. All three are used for remote access and are publicly available.

The fix for CVE-2022-1040 has been available for months and users are advised to fix it immediately as its severity score is 9.8.

It's been a busy quarter for the Sophos team, who recently fixed two high-severity vulnerabilities in Sophos Unified Threat Management appliances: CVE-2022-0386 and CVE-2022-0652.

Sophos is a UK-based cybersecurity and network security software developer, primarily focused on security software for organizations with up to 5000 employees. It was founded in 1985, but moved into cybersecurity in the late 1990s.

In 2019, it was acquired by US private equity firm Thoma Bravo, for around $3.900 billion ($7,40 per share).

Via: BleepingComputer (Opens in a new tab)

Share This