A sophisticated Chinese APT was recently detected leveraging a Sophos firewall zero-day to plant backdoors and perform man-in-the-middle assaults, according to big-game malware hunters at Volexity.
The CVE-2022-1040 Sophos firewall vulnerability was patched in March of this year, but only after Volexity discovered a sophisticated zero-day that exposed Sophos customers to remote code execution attacks. After identifying unusual activity coming from a customer’s Sophos Firewall, Volexity’s network security monitoring service alerted them to the problem.
A backdoor on the firewall was discovered during the company’s forensic analysis, as well as indications of exploitation dating back to March 5, 2022. The attack was ascribed to an APT group known as ‘DriftingCloud,’ and IOCs (indicators of compromise) were released to aid defenders in their search for signs of compromise.