Endpoint/Device Security, Network Security, Threat Management

Chinese APT exploiting Sophos firewall zero-day

Man-in-the-middle attacks are being deployed by sophisticated Chinese APT group Drifting Cloud through the exploitation of a zero-day vulnerability in Sophos firewall, according to SecurityWeek. Drifting Cloud has leveraged the already-patched flaw, tracked as CVE-2022-1040, to compromise the firewall before deploying a webshell backdoor, establishing persistence, and attacking the organization's staff, a Volexity report revealed. "These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect," said Volexity. The report also showed that Drifting Cloud sought to remotely access the compromised network through VPN user accounts and related certificate pairs. "While gaining access to the target's Sophos Firewall was likely a primary objective, it appears this was not the attacker's only objective. Volexity discovered that the attacker used their access to the firewall to modify DNS responses for specially targeted websites in order to perform MITM attacks," Volexity added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.