Headline
FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities.
“An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to exfiltrate sensitive data from firewalls worldwide,” the agency said.
“The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions.”
The development comes in the aftermath of a series of reports published by cybersecurity vendor Sophos chronicling a set of campaigns between 2018 and 2023 that exploited its edge infrastructure appliances to deploy custom malware or repurpose them as proxies to evade detection.
The malicious activity, codenamed Pacific Rim and designed to conduct surveillance, sabotage, and cyber espionage, has been attributed to multiple Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest attack dates back to late 2018, when a cyber-attack was aimed at Sophos’ Indian subsidiary Cyberoam.
“The adversaries have targeted both small and large critical infrastructure and government facilities, primarily in South and Southeast Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries,” Sophos said.
Some of the subsequent mass attacks have been identified as leveraging multiple then zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 – to compromise the devices and deliver payloads both to the device firmware and those located within the organization’s LAN network.
“From 2021 onwards the adversaries appeared to shift focus from widespread indiscriminate attacks to highly targeted, ‘hands-on-keyboard’ narrow-focus attacks against specific entities: government agencies, critical infrastructure, research and development organizations, healthcare providers, retail, finance, military, and public-sector organizations primarily in the Asia-Pacific region,” it said.
Beginning mid-2022, the attackers are said to have focused their efforts on gaining deeper access to specific organizations, evading detection, and gathering more information by manually executing commands and deploying malware like Asnarök, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor cable of providing persistent remote access to Sophos XG Firewalls and likely other Linux devices.
“While not containing any novel techniques, Pygmy Goat is quite sophisticated in how it enables the actor to interact with it on demand, while blending in with normal network traffic,” the U.K. National Cyber Security Centre (NCSC) said.
“The code itself is clean, with short, well-structured functions aiding future extensibility, and errors are checked throughout, suggesting it was written by a competent developer or developers.”
The backdoor, a novel rootkit that takes the form of a shared object (“libsophos.so”), has been found to be delivered following the exploitation of CVE-2022-1040. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia.
It has been attributed to be the handiwork of a Chinese threat actor internally tracked by Sophos as Tstark, which shares links to the University of Electronic Science and Technology of China (UESTC) in Chengdu.
It comes with the “ability to listen for and respond to specially crafted ICMP packets, which, if received by an infected device, would open a SOCKS proxy or a reverse shell back-connection to an IP address of the attacker’s choosing.”
Sophos said it countered the campaigns in its early stage by deploying a bespoke kernel implant of its own on devices owned by Chinese threat actors to carry out malicious exploit research, including machines owned by Sichuan Silence Information Technology’s Double Helix Research Institute, thereby gaining visibility into a “previously unknown and stealthy remote code execution exploit” in July 2020.
A follow-up analysis in August 2020 led to the discovery of a lower-severity post-authentication remote code execution vulnerability in an operating system component, the company added.
Furthermore, the Thoma Bravo-owned company said it has observed a pattern of receiving “simultaneously highly helpful yet suspicious” bug bounty reports at least twice (CVE-2020-12271 and CVE-2022-1040) from what it suspects are individuals with ties to Chengdu-based research institutions prior to them being used maliciously.
The findings are significant, not least because they show that active vulnerability research and development activity is being conducted in the Sichuan region, and then passed on to various Chinese state-sponsored frontline groups with differing objectives, capabilities, and post-exploitation techniques.
“With Pacific Rim we observed […] an assembly line of zero-day exploit development associated with educational institutions in Sichuan, China,” Chester Wisniewski said. “These exploits appear to have been shared with state-sponsored attackers, which makes sense for a nation-state that mandates such sharing through their vulnerability-disclosure laws.”
The increased targeting of edge network devices also coincides with a threat assessment from the Canadian Centre for Cyber Security (Cyber Centre) that revealed at least 20 Canadian government networks have been compromised by Chinese state-sponsored hacking crews over the past four years to advance its strategic, economic, and diplomatic interests.
It also accused Chinese threat actors of targeting its private sector to gain a competitive advantage by collecting confidential and proprietary information, alongside supporting “transnational repression” missions that seek to target Uyghurs, Tibetans, pro-democracy activists, and supporters of Taiwanese independence.
Chinese cyber threat actors “have compromised and maintained access to multiple government networks over the past five years, collecting communications and other valuable information,” it said. “The threat actors sent email messages with tracking images to recipients to conduct network reconnaissance.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
Vendor patches code injection vulnerability harnessed in attacks on south Asia
Code injection vulnerability harnessed in attacks on south Asia
A China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called LOWZERO as part of an espionage campaign aimed at Tibetan entities. Targets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it
Sophos XG115w Firewall version 17.0.10 MR-10 suffers from an authentication bypass vulnerability.
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be
Executive summary Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named "GoMet." The malware was first observed on March 28, 2022. GoMet backdoor The story of this backdoor is rather curious — ther...
A sophisticated Chinese advanced persistent threat (APT) actor exploited a critical security vulnerability in Sophos' firewall product that came to light earlier this year to infiltrate an unnamed South Asian target as part of a highly-targeted attack. "The attacker implement[ed] an interesting web shell backdoor, create[d] a secondary form of persistence, and ultimately launch[ed] attacks
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)