DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach

Volexity investigated a Sophos Firewall breach in March 2022 where a zero-day RCE (linked to CVE-2022-1040) was exploited by the Chinese APT 'DriftingCloud' to install a CLASS-based webshell, create persistence, perform DNS MITM to harvest CMS session cookies, and pivot to external WordPress hosts to deploy multiple RATs (PupyRAT, Pantegana, Sliver); the report includes technical details, IOCs, and detection/mitigation recommendations.