Sophos firewall exploited by Chinese hackers using a zero-day flaw

Sophos Firewall Vulnerability Exploit Chinese Hackers Zero Day Flaw

A malicious group of threat actors from China exploited a zero-day abuse in Sophos firewall, which researchers classify as critical-severity. The malicious threat actors infected a company and breached their web servers hosted through a cloud.

A Chinese advanced persistent threat (APT) group conducted the attack, dubbed as DriftingCloud. The adversaries have exploited a critical flaw tracked by researchers as CVE-2022-1040 remote code execution (RCE) flaw since early March 2022.

The campaign had already exploited the flaw three weeks before Sophos released an update patch. However, last March, Sophos published a security advisory regarding the remote code execution vulnerability that impacts the Webadmin of Sophos Firewall, as well as its User Portal.


Southern Asian countries are the most impacted region during the exploit of Sophos firewall vulnerability.


The Sophos security vendor also warned and revealed that malicious entities were taking advantage of the mentioned security weakness to target several types of organisations in South Asia, such as India, Malaysia, and Thailand.

The threat actors exploited the zero-day flaws to compromise the firewall to download and install web shell backdoors and malware. The reason for this intrusion is to compromise the external systems of the target outside the network protected by the Sophos firewall.

Researchers also noticed that the threat actors were utilising the Behinder framework, which is assumed to be used by separate Chinese advanced persistent threat groups who abused the CVE-2022-26134 flaw in the servers of Confluence.

Moreover, a Man-in-the-Middle attack will be enabled by threat actors if they can gain access to Sophos Firewall during the first stages of the exploit. They can successfully initiate a MitM attack by altering the DNS responses for specific websites of the victim’s firms.

The adversaries will also gain access to the CMS admin pages by using stolen session cookies and subsequently install a File manager plugin for controlling files on the compromised website.

As Sophos provided a remedy for the issue, they added that organisations could use their firewall again and be protected against threat actors exploiting the vulnerability.

About the author

Leave a Reply