Despite acknowledging that most of us may not perceive ourselves or our organizations as captivating enough to warrant the attention of nation-state risk actors, the reality is that even seemingly insignificant entities can become a target of their malicious activities. Sophos has been engaged in a protracted cyber conflict with China-backed hackers, who have been targeting perimeter devices in an effort to gain control and compromise network security. The attackers’ objectives encompassed both targeted and indiscriminate exploitation of systems.
This seemingly aggressive exercise is not targeted at a specific entity alone. Various internet-exposed targets are currently under attack, and we have established links between these threat actors and assaults on multiple community security providers, including those offering devices for home and small office use? Understanding why this assault marketing campaign has been a longstanding precedent for the adversary could provide valuable insights to potential targets seeking to escape the threat of such aggression once they have safely distanced themselves from harm.
A foundational change in sample
What motivates risk-accepting actors operating on behalf of significant nation-states to focus on seemingly insignificant objectives? Many safety experts regard their primary adversaries as financially driven criminals, comparable to ransomware operators, who typically target vulnerable organizations and systems. While these gangs often exploit unpatched community devices, their primary limitation lies in their lack of expertise to consistently identify and discover novel zero-day vulnerabilities, thereby gaining unauthorized access.
While analyzing Pacific Rim, we observed a striking correlation between the rapid proliferation of zero-day exploits targeting Chinese academic institutions in Sichuan province. While the sharing of these exploits with state-sponsored attackers may appear strategic, it is indeed in line with national-security regulations requiring vulnerability disclosure.
Over the years, attackers have consistently redirected their attention towards the Pacific Rim. Typically, early cyber attacks aimed to exploit the weakest vulnerabilities in a system. As our persistence grew, so did the intensity of their counterattacks, with the adversaries launching more concentrated and deliberate strikes against us.
Notwithstanding, this does not represent the entirety of the scenario; prior to the assault’s commencement, a crucial preparatory phase had transpired. When delving into complex situations, we often find that attackers like these typically exploit high-value zero-day vulnerabilities in targeted attacks, operating under the radar. As soon as they’ve accomplished their primary objective or suspect detection, they launch a counterattack against all available tools to sow chaos and conceal their trail.
As numerous overlapping attacks are launched with various targets in mind, a well-designed system can serve as a valuable deterrent for would-be assailants. The Pacific Rim’s rogue agents, akin to those targeting sensitive information and intellectual property, are driven by a more sinister objective: concealing their most valuable endeavors while sowing confusion among potential adversaries seeking to thwart their plans. To successfully deploy complex obfuscation networks and consistently cause chaos, compromise, and abuse a wide range of devices, attackers are well-equipped to achieve their objectives.
The instance is reminiscent of another incident, where a China-based group known as HAFNIUM was attributed by Microsoft for its use in a targeted manner before being deployed globally. Hafnium’s impact on global servers persisted for years following its initial widespread adoption.
As attack strategies and tactics continue to adapt, it is crucial that our approach to system upkeep also undergoes a significant shift.
Decision-making is no longer an option.
To fuel curiosity, Sophos strategically deployed a multitude of assets to proactively safeguard its platform, prioritizing enhancements that facilitate early detection and deterrence alongside swift remediation of vulnerabilities. However, a concerning percentage of our leads failed to take advantage of these solutions at the most opportune moment. As a professional editor, I would revise the text to:
This compilation of incidents highlights the far-reaching consequences of key players’ choices on the overall health and resilience of the internet’s largest platform, set against the backdrop of the community-driven maintenance model for online safety.
During the recent mass assaults on firewalls, a notable pattern emerged: attackers targeting multiple organizations in an attempt to breach any defensible perimeter. The consequences for affected businesses were multifaceted, manifesting as three distinct areas of impact. Firstly, malicious actors could utilize these tools to mask the attacker’s site visitors by acting as a proxy node for compromised devices, leveraging the victim’s own resources. Additionally, they granted access to the system itself, enabling the theft of insurance policies and exposing sensitive information, including any domestically stored credentials. Thirdly, they have posed a significant threat to the system’s defenses, which form a critical component of the overall security perimeter.
No one wants to find themselves in this unenviable position. It’s crucial not only to accept and apply major product updates that regularly fortify the resilience of firewalls’ built-in defenses, but also to enable the automatic ingestion of security patches, designed to swiftly address exploitable vulnerabilities and prevent potential breaches. With meticulous care, intensive safeguards are implemented to ensure the integrity of hotfixes, thereby minimizing any potential risks inherent in their digital composition. Distributors have been compelled by occasions in 2024 to assume greater accountability, including transparency throughout testing and rollout processes. While this enhanced openness does not diminish the need for timely patch applications, it is crucial that patches are implemented promptly everywhere, without exception.
Authentically vital
Another area where our prospects and partners can collaborate on effort reduction is attack-surface minimization. Several of the identified vulnerabilities were related to unsecured personnel and administrative portals that had never been intended for exposure to the public internet. We advise that companies expose themselves online with only a bare minimum presence. Individuals whose identities need to be verified are most securely protected by leveraging a robust zero-trust network access (ZTNA) gateway that incorporates advanced, FIDO2-compliant multi-factor authentication mechanisms. Although MFA has been around for some time, it remains a fundamental best practice that we discussed in our early 2024 conversations. Its proven effectiveness in reducing assault surfaces makes it an essential component of any security strategy. In Pacific Rim, the attacks suddenly shifted to a human-operated “adversary” mode, with some compromised devices accessed using stolen login credentials rather than exploiting previously unknown vulnerabilities.
Once an attacker gains entry into a compromised system, they often exploit it by stealing stored domestic credentials in the hope of reusing those same passwords across the organization’s network? Although the firewall may not participate in a single sign-on (SSO) system, customers frequently use the same password that secures their Entra ID accounts. It’s crucial that authentication methods cannot simply be accessed with a password; instead, they must be verified through an additional layer of security, such as machine certificates, tokens, or application-specific challenges?
Given that this software allows users to easily patch their own bugs, it raises concerns about its vulnerability to misuse. Although a patch for CVE-2020-15069 was released on June 25, 2020, our monitoring has revealed that threat actors continued to exploit the vulnerability by compromising firewalls to steal local credentials and establish remote command and control until as late as February 18, 2021? Ideally, updates are consumed instantaneously; however, when this feature is disabled, it creates an opportunity for our adversaries to linger in the long term.
Little issues imply so much
There is no such thing as making an insignificant compromise; every concession we make in negotiations has a significant impact on the outcome. As initial inquiry into seemingly unrefined tools and techniques begins, the discovery of a complex web of intrigue, replete with unexpected detours and surprises, is not only plausible but also likely to unfold. While an early prototype of a small PC designed to power videoconferencing systems might have initially seemed insignificant, its elimination ultimately prompted our quest for more innovative applications. As the culmination of an intricate investigation, our team uncovered a sophisticated rootkit dubbed Cloud Snooper, exploiting novel strategies to compromise Amazon Web Services (AWS), punctuated by five arduous years of adversarial cat-and-mouse tactics.
In today’s era, unauthorised actors have a penchant for exploiting devices like video conferencing equipment, which often remain unchecked, designed with specific functionalities, and boast capabilities that surpass their intended use. Today’s smartphones can effortlessly perform tasks that were once handled by powerful workstations just a decade ago, boasting processing power on par with those advanced machines. With excess energy lingering, coupled with inadequate monitoring systems and outdated safety software, the perfect conditions prevail for concealing one’s activities, fostering persistence, and conducting research on alternative valuable assets? The decisive moment is unfolding within the confines of a domestic space.
Typically, bugs originate from the procurement chain and can be far more challenging to resolve. Defenders must collectively assume responsibility for addressing these bug-related challenges. In April 2022, cybercriminals were identified as exploiting a previously undisclosed vulnerability in OpenSSL, a widely-used and trusted open-source encryption software library. On April 2, 2022, we notified the OpenSSL team of the issue, which subsequently received the designation CVE-2022-1292 with a CVSS base score of 9.8; it was patched on May 3 by the OpenSSL development group. With Pacific Rim’s intense focus on our well-being, there was no hesitation in notifying the OpenSSL team and lending a hand in addressing their pressing security issues – an instinctual display of community goodwill.
The company’s rigorous testing process incorporates both internal utility safety evaluations and expert opinions from third-party assessors, with the scope and funding of this initiative having expanded significantly since its inception in December 2017. While some of these initiatives are proactive in nature, others necessarily respond to existing issues or crises. Our partners and prospects are asked to collaborate with us in implementing fixes swiftly, with a preference for permitting emergency patches to be released on a regular schedule.
And now?
For those familiar with Clifford Stoll’s work, it is well understood that major system failures often begin by exhibiting small, seemingly insignificant anomalies. The 1980s’ e-book paper trail may represent the earliest recorded instance of state-sponsored hacking. For over three decades, Sophos has engaged in an ongoing game of cat and mouse with cybercriminals, mirroring the experiences of Stoll, who outsmarted adversaries as recently as 35 years ago – a feat that remains impressive given Sophos’ own early start in the industry. As a seemingly minor $0.75 accounting anomaly initially linked to their videoconferencing equipment, the issue unexpectedly evolved into a transformative skillset for those involved. Many of the techniques employed by Stoll during the Cuckoo’s Egg investigation have since become integral components of modern cybersecurity defenses. As defenders’ work remains an ongoing process, we leverage Pacific Rim expertise to reassess and elevate their ability to collaborate and improve.
