CVE-2022-1040 Detection: DriftingCloud APT Group Exploits RCE Flaw in Sophos Firewall

A notorious Chinese APT group known under the moniker “DriftingCloud” targets a cybersecurity firm Sophos. Namely, the threat actor is believed to be behind the active exploitation of a security hole in Sophos firewall. The flaw, tracked as CVE-2022-1040, scores 9.8 in severity and has been affecting Sophos Firewall versions 18.5 MR3 and older since early Spring 2022. The vulnerability, though patched in March this year, still exposes the Sophos Firewall users to RCE attacks.

The bug impacts the User Portal and Webadmin of Sophos Firewall is an authentication bypass that could result in remote code execution.

Adversaries weaponize the vulnerability to predominantly target South Asia-located businesses.

Detect CVE-2022-1040

To spot exploitation attempts of the critical Sophos Firewall RCE vulnerability, use the following Sigma rule released by a team of keen threat hunting engineers from SOC Prime.

Adepts at cybersecurity are more than welcome to join the Threat Bounty Program to share their SOC content on the industry-leading platform for recurring monetary rewards. All the submitted detections are reviewed and verified by SOC Prime experts. Last month, the average payout to the Program members was $1,429.

Possible DriftingCloud Threat Group Post-Exploitation Activity (via web server)

The rule is aligned with the latest MITRE ATT&CK® framework v.10. addressing the Initial Access tactic with Exploit Public-Facing Application (T1190) technique. Security practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 16+ security solutions.

Registered users can access relevant Sigma rules to detect CVE-2022-1040 exploits by hitting the Detect & Hunt button. By clicking the Explore Threat Context button, non-registered security professionals can access an all-encompassing library of SOC content with all relevant context.

Detect & Hunt Explore Threat Context

CVE-2022-1040 Vulnerability Analysis

Researchers from Volexity released technical details regarding the attacks exploiting CVE-2022-1040. According to the research report, the stealthy exploits are meant to further breach cloud-hosted web servers that host the target’s public-facing websites.

Upon initial access, adversaries drop a webshell backdoor and establish a secondary form of persistence. The researchers disclosed that adversaries breach the firewall to launch man-in-the-middle (MITM) attacks. The information harvested in MITM attacks is used to expand the attack surface, compromising systems beyond the initial target.

The vulnerability is deemed resolved, and at the moment, CVE-2022-1040 mitigation does not require any action on the user side. The vendor assured that all the affected customers with the enabled automatic installation of the hotfixes feature should not face any security issues associated with the CVE-2022-1040 flaw.

Check out SOC Prime library – a one-stop solution for mastering SIEM hard skills, expanding your professional horizon with deep-dive educational videos, and catching up with how-to guides on threat hunting.