Researchers from Sophos disclosed in a ‘Pacific Rim’ report details of its five-year investigation tracking China-based groups targeting Sophos firewalls using botnets, novel exploits, and bespoke malware. With the collaboration of other cybersecurity vendors, governments, and law enforcement agencies, specific clusters of observed activity have been attributed, with varying levels of confidence, to Volt Typhoon, APT31, and APT41/Winnti.
Following the release of the Pacific Rim report, the U.S. Federal Bureau of Investigation (FBI) is asking the public for assistance in an investigation involving the compromise of edge devices and computer networks belonging to companies and government entities. “As described by Sophos Ltd. in a recently released cyber security report, on April 22, 2020, an Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide.”
The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.
Over the tracked period, Sophos identified three key evolving attacker behaviors. A shift in focus from indiscriminate noisy widespread attacks (which X-Ops has concluded were failed attempts to build operational relay boxes (ORBs) to aid future targeted attacks) to stealthier operations against specific high-value and critical infrastructure targets primarily located in the Indo-Pacific region. Victim organizations include nuclear energy suppliers and regulators, military, telecoms, state security agencies, and central government.
In its Pacific Rim report, Sophos also identified evolution in stealth and persistence capability. Notable recent TTPs include increased use of living-off-the-land, insertion of backdoored Java classes, memory-only Trojans, a large and previously undisclosed rootkit (with design choices and artifacts indicative of cross-platform multi-vendor capability), and an early experimental version of a UEFI bootkit.
X-Ops believes this is the first observed instance of bootkit use specifically on a firewall. Additionally, cyber hacker OPSEC improvements include sabotaging firewall telemetry collection, impacting detection and response capability, and hampering OSINT research through a reduced digital footprint.
Sophos X-Ops has identified, with high confidence, exploit research and development activity being conducted in the Sichuan region. Consistent with China’s vulnerability disclosure legislation, X-Ops assesses with high confidence that the developed exploits were then shared with multiple distinct state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation tooling.
“The first attack was not against a network device, but the only documented attack against a Sophos facility: the headquarters of Cyberoam, an India-based Sophos subsidiary,” Ross McKerchar, CISO at Sophos, wrote in a blog post last week. “On December 4, 2018, analysts on the Sophos SecOps team detected that device performing network scans. A remote access trojan (RAT) was identified on a low-privilege computer used to drive a wall-mounted video display in the Cyberoam offices.”
McKerchar noted that while an initial investigation found malware that suggested a relatively unsophisticated actor, further details changed that assessment. “The intrusion included a previously unseen, large, and complex rootkit we dubbed Cloud Snooper, as well as a novel technique to pivot into cloud infrastructure by leveraging a misconfigured Amazon Web Services Systems Manager Agent (SSM Agent). While we published an analysis of the intrusion with some details in 2020, we did not at the time attribute the attack.”
He added that Sophos “now assess with high confidence that this was an initial Chinese effort to collect intelligence that would aid in the development of malware targeting network devices.”
Beginning in early 2020 and continuing through much of 2022, Sophos identified in the Pacific Rim report that the adversaries spent considerable effort and resources to engage in multiple campaigns to discover and then target publicly reachable network appliances. “In a rapid cadence of attacks, the adversary exploited a series of previously unknown vulnerabilities they had discovered, and then operationalized, targeting WAN-facing services. These exploits led to the adversary being able to retrieve information stored on the device, as well as giving them the ability to deliver payloads inside the device firmware and, in some cases, to devices on the LAN (internal to the organization’s network) side of the device.”
Sophos became aware of these noisy types of attacks soon after they began. When they were discovered, Sophos chose to make as broad and as public a disclosure as possible, as reflected by the series of X-Ops blog posts, conference presentations, and seminars based on our analysis and work to counter each of the threats. For example, the report on the first wave in April 2020 was published within a week of the commencement of widespread attacks and was updated as the actor behind them shifted the attack flow.
Additionally, Sophos also conducted outreach to organizations that no longer subscribed to updates but still maintained operational (and vulnerable) devices in their networks, to warn them of the risks of potential automatic botnet attacks on their public-facing devices.
“In two of the attacks (Asnarök and a later attack dubbed ‘Personal Panda’), X-Ops uncovered links between bug bounty researchers responsibly disclosing vulnerabilities and the adversary groups tracked in this report,” McKerchar said in the Pacific Rim report. “X-Ops has assessed, with medium confidence, the existence of a research community centered around educational establishments in Chengdu. This community is believed to be collaborating on vulnerability research and sharing their findings with both vendors and entities associated with the Chinese government, including contractors conducting offensive operations on behalf of the state. However, the full scope and nature of these activities has not been conclusively verified.”
In mid-2022, the attacker changed tactics to highly targeted, narrowly focused attacks against specific entities: government agencies; critical infrastructure management groups; research and development organizations; healthcare providers; retail, finance, and military-adjacent businesses; and public-sector organizations. These attacks, utilizing diverse TTPs, were driven less by automation and more by an ‘active adversary’ style, in which the hackers manually executed commands and ran malware on the compromised devices.
A variety of stealthy persistence techniques were developed and utilized throughout these attacks, including a custom, fully featured userland rootkit; use of the TERMITE in-memory dropper; re-packing legitimate Java archives with Trojanized class files; and an experimental UEFI bootkit (observed only on an attacker-controlled test device). They also included valid VPN credentials obtained both from on-device malware and via an Active Directory DCSYN; and hooking firmware-upgrade processes to survive firmware updates.
McKerchar pointed out in the Pacific Rim report that while exploitation of known CVEs was the most common initial access vector used, “X-Ops also observed cases of initial access using valid administrative credentials from the LAN side of the device, suggesting the use of perimeter devices for persistence and remote access after obtaining initial network access via other means.”
Throughout the campaigns, the actors became increasingly adept at hiding their activities from immediate discovery by blocking telemetry from being sent from the device to Sophos, McKerchar said. “As early as April 2020, the attackers made efforts to sabotage the hotfix mechanism of devices they compromised. Later, they added targeting of the telemetry system of devices to prevent Sophos from getting early warning of their activity.”
The actors also discovered and blocked telemetry-gathering on their own test devices after Sophos X-Ops utilized that capability to collect data on exploits while they were being developed. Additionally, the operational security practices of the exploit developers improved over time. X-Ops saw the trail of data that could be followed with open-source intelligence practices shrink considerably from earlier attacks.
Sophos noted in the Pacific Rim report that edge network devices are high-value targets that well-resourced adversaries use for both initial access and persistence. Defenders detection and response strategies need to take this into account. Also, state-sponsored attackers use both zero-day and known vulnerabilities to attack edge devices. This targeting is not unique to Sophos firewalls; as evidenced by published CVEs, all edge devices are a target.
State-sponsored targeting is not limited to high-value espionage targets. Threat actors use edge devices as ORBs to attack onward targets and obfuscate the true origin of attacks, and in a connected digital ecosystem, many organizations form part of a critical infrastructure supply chain and may be targeted by actors seeking to disrupt critical services.
In conclusion, McKerchar pointed out that threat actors have carried out these persistent attacks for more than five years. “This peek behind the curtain at our past and ongoing investigations into these attacks is the arc of a story we intend to continue telling over time, so long as it doesn’t interfere with or compromise law enforcement investigations in progress.”
“The adversaries appear to be well-resourced, patient, creative, and unusually knowledgeable about the internal architecture of the device firmware,” he observed. “The attacks highlighted in this research demonstrate a level of commitment to malicious activity we have rarely seen in the nearly 40 years of Sophos’ existence as a company.”