Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days

3 weeks ago 7
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

British cybersecurity vendor Sophos on Thursday published details of a years-long “cat-and-mouse” tussle with sophisticated Chinese government-backed hacking teams and fessed up to using its own custom implants to capture the attackers’ tools, movements and tactics.

The Thoma Bravo-owned company, which has found itself in the crosshairs of attackers targeting zero-days in its enterprise-facing products, described fending off multiple campaigns beginning as early as 2018, each building on the previous in sophistication and aggression. 

The sustained attacks included a successful hack of Sophos’ Cyberoam satellite office in India, where attackers gained initial access through an overlooked wall-mounted display unit. An investigation quickly concluded that the Sophos facility hack was the work of an “adaptable adversary capable of escalating capability as needed to achieve their objectives.”

In a separate blog post, the company said it countered attack teams that used a custom userland rootkit, the TERMITE in-memory dropper, Trojanized Java files, and a unique UEFI bootkit. The attackers also used stolen VPN credentials, obtained from both malware and Active Directory DCSYNC, and hooked firmware-upgrade processes to ensure persistence across firmware updates.

“Beginning in early 2020 and continuing through much of 2022, the adversaries spent considerable effort and resources in multiple campaigns targeting devices with internet-facing web portals,” Sophos said, noting that the two targeted services were a user portal that allows remote clients to download and configure a VPN client, and an administrative portal for general device configuration. 

“In a rapid cadence of attacks, the adversary exploited a series of zero-day vulnerabilities targeting these internet-facing services. The initial-access exploits provided the attacker with code execution in a low privilege context which, chained with additional exploits and privilege escalation techniques, installed malware with root privileges on the device,” the EDR vendor added.

By 2020, Sophos said its threat hunting teams found devices under the control of the Chinese hackers. After legal consultation, the company said it deployed a “targeted implant” to monitor a cluster of attacker-controlled devices.

“The additional visibility quickly allowed [the Sophos research team] to identify a previously unknown and stealthy remote code execution exploit,” Sophos said of its internal spy tool.

“Whereas previous exploits required chaining with privilege escalation techniques manipulating database values (a risky and noisy operation, which aided detection), this exploit left minimal traces and provided direct access to root,” the company explained.

Advertisement. Scroll to continue reading.

Sophos chronicled the threat actor’s use of SQL injection vulnerabilities and command injection techniques to install custom malware on firewalls, targeting exposed network services at the height of remote work during the pandemic.

In an interesting twist, the company noted that an external researcher from Chengdu reported another unrelated vulnerability in the same platform just a day prior, raising suspicions about the timing.

After initial access, Sophos said it tracked the attackers breaking into devices to deploy payloads for persistence, including the Gh0st remote access Trojan (RAT), a previously unseen rootkit, and adaptive control mechanisms designed to disable hotfixes and avoid automated patches. 

In one case, in mid-2020, Sophos said it caught a separate Chinese-affiliated actor, internally named “TStark,” hitting internet-exposed portals and from late 2021 onwards, the company tracked a clear strategic shift: the targeting of government, healthcare, and critical infrastructure organizations specifically within the Asia-Pacific.

At one stage, Sophos partnered with the Netherlands’ National Cyber Security Centre to seize servers hosting attacker C2 domains.  The company then created “telemetry proof-of-value” tools to deploy across impacted devices, tracking attackers in real time to test the robustness of new mitigations. 

Related: Volexity Blames ‘DriftingCloud’ APT For Sophos Firewall Zero-Day

Related: Sophos Warns of Attacks Exploiting Recent Firewall Vulnerability

Related: Sophos Patches EOL Firewalls Against Exploited Vulnerability

Related: CISA Warns of Attacks Exploiting Sophos Web Appliance Vulnerability

Read Entire Article