Another Vulnerability – Sophos’ Firewall Breached

System vulnerabilities are inevitable. Whenever a company releases a new update, several patches should be provided later on to fix prior bugs. However, in this slight period of time, cybercriminals can do a lot of damage by exploiting these vulnerabilities.

Earlier this year, one of the biggest vulnerabilities ever – Log4Shell – was used in various cyber-attacks. It still has its effect to this day. Apparently, even security companies are not immune to such incidents as software company Sophos disclosed the CVE-2022-3236 bug, which impacted its Firewall.

With a threat like remote code execution, the impact can be very huge. Now, we have to ask: Did any hacker exploit the vulnerability? What did Sophos do about it? Here’s everything we know.

Sophos Slips – A New Vulnerability to Exploit

As we mentioned, a lot of companies have suffered various attacks due to a vulnerability in their systems. A month ago, General Bytes – the big Bitcoin ATM manufacturer – suffered a breach due to a resident flaw.

Now, Sophos has suffered the same fate due to one of its own (CVE-2022-3236). The main targets here are the User Portal and Webadmin components.

Attackers are exploiting this bug to practice code injection. If they’re successful, this could result in remote code execution.

According to the company, only select countries are being targeted by the attack, particularly organizations in the South Asian region:

“This vulnerability is used to target a small set of specific organizations, primarily in the South Asia region.”

Now, the company has released a new patch. The users are recommended to update to the latest supported version:

• v19.5 GA
• v19.0 MR2 (19.0.2)
• v19.0 GA, MR1, and MR1-1
• v18.5 MR5 (18.5.5)
• v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
• v18.0 MR3, MR4, MR5, and MR6
• v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
• v17.0 MR10

Apparently, that’s not enough. Sophos also recommended the targeted users take steps in order to ensure that the User Portal and Webadmin are not exposed to WAN.

Updates are there for a reason. Every time one is issued, a certain vulnerability may surface. That’s why new ones exist. They remove previous bugs and add the latest protections and relevant fixes.

Sophos Vulnerability – A New Bug, An Old Hacking Group

According to researchers, the campaign belongs to a Chinese advanced persistent threat (APT) known as DriftingCloud. Well, they’ve done it in the past, and all the steps within this campaign point to them.

Speaking of the past, this is not the first time Sophos has been in the malicious spotlight. It also suffered a huge attack back in the day when cybercriminals used the Asnarök trojan in an attempt to siphon sensitive information.