Sophos Firewall zero-day bug exploited weeks before fix TechRadar Skip to main content TechRadar is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Here's why you can trust us. Sophos Firewall zero-day bug exploited weeks before fix By Sead Fadilpašić published 20 June 2022 High-severity vulnerability was used by a Chinese APT (Image credit: Shutterstock) Audio player loading… A vulnerability in the Sophos Firewall, first discovered in late March and patched soon afterwards, was being exploited by a Chinese advanced persistent threat (APT), in the weeks before the patch was released, reports have revealed. Researchers from cybersecurity firm Volexity, the threat actor, known as DriftingCloud, exploited the CVE-2022-1040 since early March, against a number of unnamed entities. It used it to bypass authentication, and run arbitrary code on the victims' endpoints. The flaw affects the User Portal and Webadmin of Sophos Firewall, and the threat actors managed to install webshell backdoors and other malware. At the moment of discovery, the compromise was still active, and the threat actor was still moving around the network, giving the researchers a unique insight into the operation of an APT. The conclusion of that observation is that the group was "sophisticated" and that it made a valiant effort to remain undetected. (opens in new tab) Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99. Stage two malware Among other things, the group blended its traffic by accessing the installed webshell through requests to the legitimate file "login.jps", BleepingComputer reported. "At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only real elements that appeared out of the ordinary in the log files were the referrer values and the response status codes," Volexity explained in its writeup. After accessing the target network, the threat actor moved to install three distinct malware families - PupyRAT, Pantegana, and Sliver. All three are used for remote access, and are publicly available.Read ,ore> Sophos Firewall vulnerability gave hackers the keys to the kingdom (opens in new tab) > Sophos warns customers it was hit by data breach (opens in new tab) > Sophos agrees to $3.9bn acquisition (opens in new tab) The fix for CVE-2022-1040 has been available for months now, and users are advised to patch up immediately, given that its severity score is 9.8. It's been a busy quarter for the Sophos team, which recently fixed two high severity vulnerabilities in Sophos Unified Threat Management appliances: CVE-2022-0386 and CVE-2022-0652. Sophos is a UK-based cybersecurity and network security software developer, focused mostly on security software for organizations with up to 5,000 employees. It was founded in 1985, but pivoted towards cybersecurity in the late 1990s. In 2019, it was acquired by US-based private equity firm, Thoma Bravo, for approximately $3.9 billion ($7.40 per share). Via: BleepingComputer (opens in new tab) Sead Fadilpašić Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he's written for numerous media outlets, including Al Jazeera Balkans. He's also held several modules on content writing for Represent Communications. See more Computing news Are you a pro? Subscribe to our newsletter Sign up to theTechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Thank you for signing up to TechRadar. You will receive a verification email shortly. There was a problem. Please refresh the page and try again. window.sliceComponents = window.sliceComponents {}; window.reliableDOMContentLoaded.then(() => { var componentContainer = document.querySelector("#slice-container-popularBox"); if(componentContainer) { var data = {"tabs":[{"tabName":"Most Popular","articles":[{"href":"\/opinion\/the-iphone-14-pro-is-made-of-the-wrong-stuff-the-pixel-7-proves-that-to-me","heading":"The iPhone 14 Pro is made of the wrong stuff; the Pixel 7 proves that to me","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/hA564EpMUhhtGuPpgqmJJ9.jpg","alt":"Google Pixel 7 Pro hands on camera Snow","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}},{"href":"\/features\/stop-saying-mario-doesnt-have-an-accent-in-the-super-mario-bros-movie","heading":"Stop saying Mario doesn\u2019t have an accent in The Super Mario Bros. Movie","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/uTe8yQq9DUD4FZXeVG5FLA.jpg","alt":"Mario standing beside a mushroom, looking up in shock","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}},{"href":"\/opinion\/google-pixel-tablet-is-what-apple-shouldve-done-ages-ago","heading":"Google Pixel Tablet is what Apple should've done ages ago","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/nBazMhPjHdirBsiNeUh8Ee.jpg","alt":"Google Pixel Tablet","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}},{"href":"\/features\/blizzard-made-me-explain-overwatch-2-smurfing-to-my-mum-for-nothing","heading":"Blizzard made me explain Overwatch 2 smurfing to my mum for nothing","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/pZj5BrniZEBvEPSDnjA4eX.jpg","alt":"A character points a gun off screen","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}},{"href":"\/news\/nvidia-rtx-4090-ti-reportedly-canned-due-to-sky-high-power-consumption","heading":"Nvidia RTX 4090 Ti reportedly canned due to sky-high power consumption","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/Aenja5c22m7piXfBhPNTZM.jpg","alt":"person upgrading PC with smoke coming out of it","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}}]},{"tabName":"Most Shared","articles":[{"href":"\/news\/logitechs-latest-webcam-and-headset-want-to-relieve-your-work-day-frustrations","heading":"Logitech\u2019s latest webcam and headset want to relieve your work day frustrations","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/C63EGhqbynC8Cn4pULtSzM.jpg","alt":"Man sitting at a desk with a computer screen on it, with Logitech webcam on top of the screen, and Logitech headphones on the desk","fullscreen":false,"lazyLoading":true,"addSEOMetaData":false,"eager":false}},{"href":"\/news\/best-offers-on-laptops-for-education-this-festive-season","heading":"Best offers on Laptops for Education \u2013 this festive season","image":{"src":"https:\/\/cdn.mos.cms.futurecdn.net\/yjZ5PzCFRcRGDZKpyGu84d.jpg","alt":"Asus Vivo