{
	"id": "67129948-0b3a-4251-a458-9ded3535d67f",
	"created_at": "2026-04-06T00:07:38.800804Z",
	"updated_at": "2026-04-10T13:12:16.971299Z",
	"deleted_at": null,
	"sha1_hash": "04624a38167b7f72cc3503223190e6e9d2f9b595",
	"title": "DriftingCloud APT Group Exploits Zero-Day In Sophos Firewall",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 61473,
	"plain_text": "DriftingCloud APT Group Exploits Zero-Day In Sophos Firewall\r\nPublished: 2022-06-17 · Archived: 2026-04-05 15:44:40 UTC\r\nCybersecurity researchers have revealed that Sophos Firewall has been actively exploited by DriftingCloud APT\r\ngroup since early March. Apparently, the attacks started long before the CVE-2022-1040 vulnerability was\r\npatched, affecting v18.5 and older versions of Sophos Firewall. CVE-2022-1040 is an authentication bypass\r\nvulnerability in the Web Admin and User Portal that allows threat actors to perform RCE, leading to a breach of\r\nweb servers.\r\nSophos Firewall released a security advisory on 25th March. The advisory includes remediation methods\r\nconcerning CVE-2022-1040, which has a CVSS score of 9.8.\r\nWho Is DriftingCloud?\r\nAccording to Volexity’s research, the attack is associated with a Chinese APT group named DriftingCloud. The\r\nAPT group opened a backdoor on the firewall back in March. The same APT group might be related to an attack\r\nlast December when Zimbra was exploited using a zero-day vulnerability. It was a spear-phishing campaign, and\r\nthe attackers targeted the European government and media organizations. The phishing lasted two weeks, and\r\nthe hotfix came in February, two months later.\r\nDriftingCloud isn’t the newest threat. Sophos Firewall was also targeted in April 2020. It was due to yet another\r\nzero-day vulnerability. The entry vector was SQL injection, and the attackers deployed the “Asnarok” trojan on\r\ndevices. A write-up was published after the event to elaborate on attack details.\r\nHow Did The Attack Happen?\r\nDriftingCloud APT Group’s attack flow (Source: Veloxity)\r\nFirst Stage\r\nIn the first stage of the attack, the threat actors breach the firewall and load the web shell. In this step, the attacker\r\nsends malicious web requests containing “base64 string”.\r\nBy searching the base64 string values in the device’s disk memory in these sent requests, attackers can make\r\nchanges to the “/usr/share/webconsole/WEB-INF/classes/cyberoam/sessionmanagement/SessionCheckFilter.class” file.\r\nRequests sent by DriftingCloud APT Group\r\nThe modified file is a legitimate file included in Sophos Firewalls. When the file runs, it calls the\r\n“SessionCheckHelper” file with the correct parameters, thus verifying whether the user has a valid session. The\r\nSessionCheckHelper file is called whenever a request is made to any component of the Sophos Firewall interface.\r\nThe attacker has modified this file to include his own logical expressions.\r\nhttps://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/\r\nPage 1 of 3\n\nThe threat actor has taken some actions to ensure persistence on the firewall. These actions are as follows:\r\nCreating VPN user accounts and associated certificate pairs in the firewall\r\nWriting and running /conf/certificate/pre_install.sh on device disk to breach firewall\r\nWhen the “pre_install.sh” file is run, it downloads a binary file. After running the binary file, it is deleted\r\nfrom the disk.\r\nSecond Stage\r\nIn the second stage of the attack, the attacker changes the DNS responses using the firewall he violated. Thus, a\r\nMITM (man-in-the–middle) attack can be made on target websites. Modified DNS responses are intended to\r\nobtain the admin domains of the victim organization. In this way, the attacker obtained the user credentials and\r\nsession cookies from administrative access to the website’s content management system (CMS).\r\nThe cookie information obtained allows the WordPress admin panel page to be accessed without sending a\r\nusername and password. Then the page used to download and add the plugin can be accessed.\r\nThe attacker installed the File Manager extension on the victim system to load a PHP file. Then he disabled this\r\nplugin.\r\nUsing the attacker’s web server access, the open-source malware families PupyRAT, Pantegana, and Sliver were\r\ninstalled on the victim system.\r\nDriftingCloud TTPs\r\nTTPs of DriftingCloud APT Group\r\nDriftingCloud IoCs\r\nFile indicators\r\nNetwork Indicators\r\nURLs\r\nDomains\r\nAdditional Suspicious Domains\r\nIPs\r\nFilesystem Paths\r\nIn addition, Volexity provided a set of YARA rules that may alert users to potentially dangerous conduct resulting\r\nfrom this kind of attack.\r\nUse SOCRadar® FOR FREE 1 YEAR\r\nhttps://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/\r\nPage 2 of 3\n\nWith SOCRadar® Free Edition, you’ll be able to:\r\nPrevent Ransomware attacks with Free External Attack Surface Management\r\nGet Instant alerts for fraudulent domains against phishing and BEC attacks\r\nMonitor Deep Web and Dark Net for threat trends\r\nGet vulnerability intelligence when a critical zero-day is disclosed\r\nGet IOC search \u0026 APT tracking \u0026 threat hunting in one place\r\nGet notified with data breach detection\r\nFree for 12 months for one corporate domain and 100 auto-discovered digital assets.\r\nGet Free Access.\r\nSource: https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/\r\nhttps://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/"
	],
	"report_names": [
		"driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall"
	],
	"threat_actors": [
		{
			"id": "c42fe131-a81c-45bb-8f32-61f39263a7d4",
			"created_at": "2023-11-17T02:00:07.60084Z",
			"updated_at": "2026-04-10T02:00:03.45671Z",
			"deleted_at": null,
			"main_name": "DriftingCloud",
			"aliases": [],
			"source_name": "MISPGALAXY:DriftingCloud",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "685da616-97dd-4c1d-ae05-b84508d2d69c",
			"created_at": "2024-11-03T02:00:03.632184Z",
			"updated_at": "2026-04-10T02:00:03.729072Z",
			"deleted_at": null,
			"main_name": "Asnarök",
			"aliases": [
				"Personal Panda"
			],
			"source_name": "MISPGALAXY:Asnarök",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434058,
	"ts_updated_at": 1775826736,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04624a38167b7f72cc3503223190e6e9d2f9b595.pdf",
		"text": "https://archive.orkl.eu/04624a38167b7f72cc3503223190e6e9d2f9b595.txt",
		"img": "https://archive.orkl.eu/04624a38167b7f72cc3503223190e6e9d2f9b595.jpg"
	}
}