Man-in-the-middle attacks are being deployed by sophisticated Chinese APT group Drifting Cloud through the exploitation of a zero-day vulnerability in Sophos firewall, according to SecurityWeek. Drifting Cloud has leveraged the already-patched flaw, tracked as CVE-2022-1040, to compromise the firewall before deploying a webshell backdoor, establishing persistence, and attacking the organization's staff, a Volexity report revealed. "These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect," said Volexity. The report also showed that Drifting Cloud sought to remotely access the compromised network through VPN user accounts and related certificate pairs. "While gaining access to the target's Sophos Firewall was likely a primary objective, it appears this was not the attacker's only objective. Volexity discovered that the attacker used their access to the firewall to modify DNS responses for specially targeted websites in order to perform MITM attacks," Volexity added.