web analytics

Sophos Discloses Half Decade of Sustained Chinese Attack – Source: www.govinfosecurity.com

Rate this post

Source: www.govinfosecurity.com – Author:

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Network Firewalls, Network Access Control

Volt Typhoon, APT31, APT41 Targeted Sophos Edge Devices Akshaya Asokan (asokan_akshaya) , David Perera (@daveperera) • October 31, 2024    

Sophos Discloses Half Decade of Sustained Chinese Attack
Image: Shutterstock

Firewall maker Sophos disclosed Thursday a half-decade worth of efforts by multiple nation-state Chinese hacking groups to infiltrate its appliances, calling the admission a wake-up call for the cybersecurity industry.

See Also: Corelight’s Brian Dye on NDR’s Role in Defeating Ransomware

The campaigns are also further evidence that Chinese nation-state hackers draw from a common pool of vulnerabilities, buttressing what’s called the “quartermaster” theory positing that a central organization within the Chinese government disseminates exploits to multiple cyberespionage hacking groups.

Sophos dubbed its counter-offensive effort “Pacific Rim,” writing that Chinese hacking groups – identified with varying levels of confidence – such as Volt Typhoon, APT31 and APT41 have penetrated Sophos firewalls with overlapping sets of tactics, tools, and procedures starting in early 2020.

After a first wave of noisy and widespread but mostly-thwarted attacks apparently aimed at converting Sophos appliances into operational relay boxes, Chinese hackers shifted to stealthier operations against high-value critical infrastructure targets mostly located in the Info-Pacific region. Victims included “nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government.”

From 2020 onwards, the groups began to exploiting zero days, including a RCE bug, as well as a code injection vulnerability.

Targeting firewall appliances is a known nation state tactic as hackers have exploited network edge devices’ general opacity to cyber defenders, always-on status and trusted position within corporate intranets. “They are valuable assets that can be used for persistence,” said Ross McKerchar, Sophos CISO.

In a September 2022 hacking incident spotted alongside Microsoft, Chinese hackers modified a Sophos device at an unnamed “large Asian financial services organization” to act as a backdoor. From there, they used sniffed credentials to pull password data from Active Directory.

Sophos first detected a shift in Chinese focus onto network edge appliances after detecting an attack against Cyberoam, an Indian Sophos subsidiary. In 2020, it coded a “specialized kernel implant” to deploy to devices that Sophos believed were controlled by hostile groups conducting exploit research. The implant allows Sophos to collect files and see logs without the user noticing.

Sophos identified a devices used to workshop exploits apparently owned by a Chinese firm called the Sichuan Silence Information Technology. In July 2020, it uncovered a threat actor tracked inside Sophos as “TStark.” Telemetry revealed early examples of malicious payloads for a buffer overflow attack on Sophos appliances that had been previously been registered by a former researcher at the University of Electronic Science and Technology of China.

Sichuan Silence Information Technology and the university are each located in Chengdu, Sichuan, a Chinese hotspot for a burgeoning hacking industry (see: Chinese Hacking Contractor iSoon Leaks Internal Documents).

“Silicon Valley is good for tech. Shenzhen’s good for hardware, and Chengdu is good if you want to be a vulnerability researcher,” McKerchar told Information Security Media Group.

Exploits developed in Chengdu made their way to multiple cyberespionage groups. “They obviously had the shared knowledge of the exploit, but then after that, their TTPs would vary massively. One group would be very sophisticated, really quiet, really, really high end. Another one would be blundering around, making lots of noise – but they used the same exploit,” McKerchar said.

“Our assessment is they are likely involved in exploit development,” he said of Sichuan Silence Information Technology, a company previously linked by Meta to a disinformation campaign.

A Chinese law that took effect in September 2021 requires Chinese researchers to disclose vulnerabilities to the government, a requirement that multiple Western companies have said is paying dividends for state-connected hacking (see: Chinese State Hackers Level Up Their Abilities: CrowdStrike).

Chinese hackers nonetheless may be trying to squeeze more money out of their research than they can get through official channel hacking. Sophos reported it received a bug bounty report of a critical SQL injection vulnerability just one day before a wave of attacks using Asnarök Trojans. “It would not surprise me is that was a researcher who was playing both sides, who was disclosing Vulnerabilities to the PRC, which is the law over there, but also trying to make some money,” McKerchar said, referring to the People’s Republic of China, the official name of the communist government. One complaint of Chinese hackers revealed through a February leak of internal documents from Chengdu hacking firm iSoon, he noted, was low pay.

Network Edge Devices Can’t Go On Like This

McKerchar said Sophos hopes to spark “an industry wide conversation” about network edge device hacking.

A study published in June by hacking firm Rapid7 found the prevalence of large-scale attacks exploiting network devices nearly doubled last year, driven by an abundance of vulnerabilities to exploit. “We found that 36% of the widely exploited vulnerabilities we tracked occurred within network edge technology. Of those, 60% were zero-day exploits,” the report said. “These technologies represent a weak spot in our collective defenses” (see: Surge in Attacks Against Edge and Infrastructure Devices).

One worrying problem among many is that after Sophos hardened its appliances against Chinese attacks, hackers turned their attention to older devices no longer received patches.

Mid-size companies in particular are inclined to run devices past their life cycle. New devices are expensive but software is relentlessly optimized to work on newer, faster hardware – an inexorable treadmill. “If you’ve got the skills to harden it in the right way, it might be better than no firewall, but if you don’t, it might not,” McKerchar responded when asked if companies would be better off disposing of an out of lifecycle firewall than keeping it connected. “I don’t think you can generalize.”

Badly secured firewalls are a problem for everyone, he stressed. Sophos does more at-scale threat hunting on its devices to detect hacking patterns and is abiding by a pledge to develop product with secure design principles, he said. Opening up network devices to third party scanning isn’t a likely solution for now, since “edge devices are very bespoke; a normal EDR agent out of the box would not work on a firewall.”

“We really want to ignite an industry wide conversation about the best way to approach collective this risk, because it really becomes a systematic risk to the digital ecosystem if we don’t,” McKerchar said.

Original Post URL: https://www.govinfosecurity.com/sophos-discloses-half-decade-sustained-chinese-attack-a-26698

Category & Tags: –

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post