Chinese hackers used a zero-day exploit for a critical-severity vulnerability in Sophos Firewall to compromise a company and breach cloud-hosted web servers operated by the victim.
The security issue has been fixed in the meantime but various threat actors continued to exploit it to bypass authentication and run arbitrary code remotely on multiple organizations.
Sophos Firewall 0day used for webshell drop
On March 25, Sophos published a security advisory about CVE-2022-1040, an
authentication bypass vulnerability that affects the User Portal and Webadmin of Sophos Firewall and could be exploited to execute arbitrary code remotely.
Three days later, the
company warned that threat actors were exploiting the security issue to target several organizations in the South Asia region.
This week, cybersecurity company Volexity detailed an attack from a Chinese advanced persistent threat group they track as DriftingCloud, which exploited
CVE-2022-1040 since early March, a little over three weeks before Sophos released a patch.