Chinese APT exploited Sophos Firewall zero-day vulnerability weeks before fix

Chinese APT exploited Sophos Firewall zero-day vulnerability weeks before fix

Cybersecurity company Volexity published a report about the Chinese state-sponsored threat actor which has been using a zero-day vulnerability in Sophos Firewall weeks before a fix was released.

According to Volexity researchers, on March 8, 2022, they spotted abnormal activity engaged with a customer's Sophos Firewall. The researchers analyzed files and disk images of the firewall and discovered a backdoor. Based on the analyzed data, the exploitation of a zero-day vulnerability in the customer’s Sophos Firewall was dating back to March 5, 2022, three weeks before the patch was released.

On March 25, Sophos published an advisory which described a critical remote code execution vulnerability in its firewalls (CVE-2022-1040). Volexity believes that this is the same vulnerability exploited to breach its customer’s network at the beginning of March, because at the time this firewall was up to date. The researchers attribute this attack to a Chinese APT group tracked as DriftingCloud.

DriftingCloud used the access to the firewall to conduct man-in-the-middle attack in the victim’s network. Using webshell backdoors and malware, the hackers collected data during this attack and used it to compromise additional systems outside the firewall’s network.

DriftingCloud even tried to blend malicious traffic by accessing the installed webshell through requests to the legitimate file "login.jsp." At the first glance, it looked like a brute-force login attempt, but in reality it was an interaction with a backdoor.

The flaw (CVE-2022-1040) is an authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall. The remote attackers can use it to execute arbitrary code on a vulnerable system.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025