Sophos Firewall zero-day exploit has been leveraged through a critical-severity vulnerability to break into cloud-based web servers. While this security flaw has been addressed through, it has been continuously exploited to remote execute arbitrary code on multiple organizations bypassing authentication.

Webshell deployed leveraging Sophos Firewall Zero-Day

Sophos had issued a security advisory concerning CVE-2022-1040. This authentication bypass flaw affects the User Portal and Webadmin of Sophos Firewall and might be exploited remotely to execute arbitrary code.

Three days later, the company warned that threat actors were leveraging the security vulnerability to attack many businesses in the South Asia region.

This Monday, the cybersecurity firm Volexity described an attack by the Chinese advanced persistent threat group DriftingCloud, which had exploited CVE-2022-1040 since early March, around three weeks before Sophos issued a patch.

The adversary utilized the zero-day exploit to breach the firewall in order to install webshell backdoors and malware that would allow compromise of external systems outside of the Sophos Firewall-protected network.

When Volexity began its study, the threat actor was still operational, and researchers were able to observe the steps of the attack, exposing a clever adversary that attempted to remain unnoticed.

The researchers report that the attacker attempted to camouflage his traffic by contacting the installed webshell via calls to the genuine file "login.jsp."

"This may appear to be a brute-force login attempt rather than a backdoor interaction at first glance. Referrer values and response status codes were the only truly out-of-the-ordinary components in the log files." - Volexity

Following a thorough course of investigation revealed that the attacker was leveraging the Behinder framework, which triggered the suspicion employed by other Chinese APT organizations that exploited CVE-2022-26134 in Confluence servers.

Additionally, the webshell, Volexity discovered one additional harmful activity that ensured persistence and enabled the threat actor to continue the attack:

• Creating VPN user accounts and attaching certificate pairs on the firewall to allow for authorized distant network access
• Writing "pre install.sh" to '/conf/certificate/'
• "pre install.sh" executes a malicious command that downloads a binary, executes it, and then deletes it from disk.

According to the researchers, acquiring access to the Sophos Firewall was the initial step of the assault, allowing the adversary to engage in man-in-the-middle (MitM) activities by altering DNS replies for certain domains maintained by the victim firm.

"This allowed the attacker to intercept user credentials and session cookies from administrative content management system (CMS) access." - Volexity

Using stolen session cookies, the attacker obtained access to the CMS administration pages and installed the File Manager plugin for managing website files (upload, download, delete, edit).

Once the DriftingCloud hackers gained access to the web server, they installed three open-source malware families for remote access: PupyRAT, Pantegana and Sliver. Volexity also provided a set of YARA rules that might identify unusual behavior from this type of attack.