Volexity details a targeted Sophos Firewall breach that leveraged a zero-day remote code execution vulnerability (CVE-2022-1040) to install a webshell, establish persistence, and conduct MITM activity that extended to external systems such as CMS websites. Sophos published an advisory on March 25, 2022, and Volexity provides defenses and indicators to identify similar compromises in the future. #DriftingCloud #SophosFirewall #CVE-2022-1040 #PupyRAT #Pantegana #Sliver #Weevely #CVE-2021-4034 #WordPress
Keypoints
- DriftingCloud, a Chinese APT, targeted a Sophos Firewall using a zero-day RCE (CVE-2022-1040) to gain initial access.
- The attacker deployed a webshell by modifying SessionCheckFilter.class, loading a malicious CLASS, effectively backdooring the device.
- MITM activity gathered credentials by intercepting session cookies, allowing direct access to CMS admin pages (e.g., WordPress) without logins.
- Persistence and remote access were achieved via creation of VPN user accounts and certificate pairs on the firewall.
- DNS responses were manipulated to perform MITM against the victim’s websites, enabling credential interception and CMS exploitation.
- Open-source backdoors were installed on the attacker’s web server (PupyRAT, Pantegana, Sliver), with evidence of BEHINDER framework usage and custom SSL configurations.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attacker exploited a remote code execution vulnerability in Sophos Firewall (CVE-2022-1040) to compromise the device. “…describing a remote code execution (RCE) vulnerability (submitted by a third-party) in its firewalls covered by CVE-2022-1040.”
- [T1505.003] Web Shell – The attacker backdoored the Sophos Firewall with a webshell that could be accessed through any URL of the attacker’s choosing; they loaded a malicious CLASS via ReverseClassLoader. “The attacker created their own version of this file containing malicious logic.”
- [T1539] Steal Web Session Cookie – Using session cookies collected via MITM attacks to compromise external systems outside of the network where the firewall resided; “Using these session cookies, the attacker was able to directly access the WordPress admin panel without sending a username and password.”
- [T1136] Create Account – The attacker created VPN user accounts and associated certificate pairs on the firewall to facilitate legitimate remote network access.
- [T1071.004] Application Layer Protocol: DNS – Modified DNS responses for victim-hosted domains to perform MITM attacks and intercept credentials. “Modified DNS responses were for hostnames that belonged to the victim organization…”
- [T1105] Ingress Tool Transfer – The attacker downloaded and used open-source malware tools from a GitHub repository (Gooogleapis) and referenced related tooling (PupyRAT, Pantegana, Sliver) to facilitate compromise. “Gooogleapis GitHub user and repository containing tools related to compromise of Sophos Firewall devices.”
Indicators of Compromise
- [Domain] akamprod[.]com – referenced as related indicators
- [IP] 180.149.38.136 – one of multiple attacker-controlled addresses
- [Domain] u2d.servusers[.]com – related domain
- [Domain] servusers[.]com – related domain
- [IP] 95.85.71.23 – related IP
- [IP] 95.85.71.20 – related IP
- [IP] 5.188.228.40 – related IP
- [IP] 209.250.231.67 – related IP
- [IP] 158.247.200.24 – related IP
- [IP] 192.248.152.58 – related IP
- [Domain] googleanalytics.proxydns[.]com – related domain
- [IP] 185.82.218.66 – related IP