Transcription performed by LeahTranscribes[Start of recording]
JACK: Hi, I’m Jack Rhysider, host of the show. Back in 2018 an interesting cyber attack took place.
ANDREW: [Music] It’s kind of a funny thing. I mean, it was — it basically came onto my radar the second month I was working at Sophos. JACK: Oh, I should introduce you to Andrew.
ANDREW: Yeah, so, I’m Andrew Brandt, and throughout the time that the research was going on for this story, I was a principal researcher for Sophos, but I am now a principal threat researcher for a company called Netcraft.
JACK: So, one of the things Sophos wanted Andrew to do was research novel threats and write about them on their newly-established Sophos blog.
ANDREW: The team that I was on eventually didn’t exist. I was the only person on it. One of the analysts reached out to me through the company chat and said, hey, I’ve got a great story for some really cool research. I’d like to write it up and have you publish it on the blog and do some edits on it. I said, great. Tell me more. He told me the story, but the one thing he didn’t tell or what he said he couldn’t tell me was who the target was.
JACK: So he’s like, okay, fine, send me what you got. Let me research it, and I’ll write about it.
ANDREW: It started with a TV set. So, there was a sales office and they had a bull pen like you have a lot of — you know, in a lot of sales offices where people are on the phone and you’re trying to sell the product. So, they had this leaderboard that was on a computer screen that was running off a little Linux computer, and that was the first machine that got infected. The threat actors managed to pivot from that Intel NUC, which is like a tiny, little computer that’s small enough it can mount on the back of a TV monitor that’s hanging on the wall — that they were able to pivot from the NUC in and find access to the repository where the source code was and then get into that, and then to do the cloud-snooper attack on that cloud service where the source code was — it’s just mind-boggling to me the amount of effort involved in pivoting from this to this to this to get into this and then to build this backdoor that allows them access. It’s amazing to me.
JACK: [Intro music] Oof, the attackers got access to the source code, but why? Was this an insider trying to seek revenge? Were they stealing it in hopes to sell it to someone? Did they steal it so that they could copy the product and steal their intellectual property? At the time nobody knew what their motive was.
(Intro): These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries.
JACK: So, hackers broke into a company and copied the source code for that product.
CRAIG: So, we managed infosec there for a while, and currently too. It was the type of network that was in the process of being brought over to a kinda set standard.
JACK: This is Craig. He helped clean up the intrusion.
CRAIG: So, my name is Craig Jones. I’m the chief security officer of Ontinue. But several years ago I was actually the senior director of information security inside Sophos. I mean, if you don’t know Sophos — great UK beast, cybersecurity provider that has everything from EDR, MDR through into firewall products. At the time they had three different firewall products; one being Cybro, the other one being a German-based firewall provider, and the new Sophos Firewall product. So, essentially they were collapsing two products into one, and the new one being Sophos Firewall.
JACK: Yeah, Sophos’ main product is their firewall. This is a network device that will act as a wall between a protected network and an unprotected one. Out of the box, nothing is allowed to pass. You have to tell it exactly what you want to allow through, because the point of a firewall is to stop unwanted traffic from coming into your network, and believe me, there’s a lot of unwanted traffic that’s always trying to get into our networks. In 2014 they bought another company called Cyberoam, which was also making an interesting security product.
CRAIG: That product — we were flattening that product to make it into something else. Cyberoam was very much purchased to be the development house for the new Sophos Firewall product. There’s some super-hot developers there.
JACK: It was this newly-acquired Cyberoam network which was the victim of this attack. Someone had gotten into Cyberoam and was looking for their source code and found it for one of their products, which — Craig and his team had to go clean up that intrusion.
CRAIG: There was some really cool stuff that those actors did. There were several points when I sat down and thought, damn, these guys really know what they’re doing. I think for me there was one where they had actually attempted to intrude the network in several different ways, mostly at the same time. What was really interesting about it is we could tell that there were two or three actors working together in different consoles. One of the things they did, which was kinda funny, actually, was that they’d gotten hold of a secure shell key. One had obviously copied it, and another person was trying to type in the password for it. We could tell in the logs that they were mistyping the password, you know? The person who had obviously taken the key had obviously tried to relay onto another person, and they were mistyping this thing. It was kinda crazy. You immediately knew then that this wasn’t just a dude. This was a serious operation.
JACK: The attackers had really unique methods for getting in, not methods that were publicly known at the time, super sneaky and crafty ways to get into a network. They got in through multiple ways. Then when they got in, they were able to move laterally in really unique ways, too, so unique that the Sophos team had no idea that stuff was even possible. It was like exploiting bugs in the way AWS handles identity. One problem, though, is that they didn’t have enough monitoring at first to know exactly what these hackers saw or took. They assume because they got access to the repository with the source code that they took the source code, but they were unsure. So, they had to enable a lot more logging and monitoring to fully eradicate them from the Cyberoam network. Andrew wrote this attack up because it was so interesting and new, and published it on the Sophos blog, but didn’t say who the target was.
ANDREW: [Music] Yeah. So, flash forward.
JACK: Two years go by. It’s now 2020.
ANDREW: We now have the team up and running, I’ve got a couple of people working with me, we’re publishing a few blogs a week. I find out from internal people within the company that there’s a security incident, and the security incident started with a tech support call where someone sent an e-mail to their support technician and said, hey, my firewall is showing this URL in the user interface, and I didn’t put it there, and I don’t know why it’s there.
JACK: Hm, sounds like a minor problem at the surface. This firewall had a configuration which showed what IPs are allowed to access it and manage it and configure it, and a strange URL was showing up in that list of IPs. It didn’t make any sense as to why it was there or why anyone would ever even put it there.
ANDREW: So, Sophos has a firewall called the XG Firewall. At this point it was just called the XG Firewall. The firewall has its own operating system. It’s running a version of Linux in it. It has a UI that’s running on the front of it so that you can manage it.
JACK: At the same time, someone outside of Sophos submitted a bug into Sophos for the same issue.
CRAIG: I think it was April 21st. We had — well, we actually had an external bug bounty report. It was a SQL I injection, and what was kinda weird about it was they — I remember the user actually claiming to be from Australia, but they had a Chinese name, you know? Now, at the time we didn’t have amazing telemetry from any of the Sophos Firewalls. We had kinda base telemetry which gave you — it was really designed for product managers to understand what features that users were using. So, they understood where to put their limited resource time into, right? So, we had that and we had a really good idea of where all of the serial numbers for these devices sat and their IP addresses associated, too. So, it’s almost kinda interesting to correlate the IP with the intended location of the researcher. So, we got a researcher’s device. It’s one that had never been turned on before, which was pretty suspicious. It had never been registered. It was a serial number that had just come from a web trial of a VN. We find the IP actually related back to Chengdu in China.
JACK: [Music] Okay, odd; someone from China with a trial license of the Sophos Firewall found this bug and reported it to Sophos? Sophos did, in fact, pay the bug bounty for this.
CRAIG: It was about $10,000, I think.
JACK: Hm, someone got paid a pretty penny for reporting this bug to Sophos at almost the exact same time that they were seeing it being exploited by devices in the wild. Strange timing.
CRAIG: We called it Asnarok.
JACK: So, the team investigated this bug further. It was present in the front-end web user interface of the firewall. To configure this firewall you can use a browser and access it that way. Well, the web UI of this firewall had a SQL injection vulnerability in it. Basically, in one of the form fields of the firewall, like maybe the username field or something, an attacker could enter in some commands there which would glitch out the user input handling mechanism of the firewall and allow the attacker to inject their own commands into the database of the firewall where the configuration sat. This was a really bad bug for Sophos to discover. Their devices are supposed to be blocking hackers from getting into the network, yet it’s the vulnerable device which is allowing hackers into it? This is not good at all.
ANDREW: They found that essentially every firewall that was facing the public internet was affected by this bug.
JACK: These firewalls weren’t just vulnerable; they all had been hacked into, exploited. Someone probably scanned the whole internet looking for these particular Sophos Firewalls and then ran some kind of automation script to go infect them all.
CRAIG: We kinda worked out that there were a huge amount of devices affected. I think in the end FBI report that came out for this, I think they mentioned 80,000. I would hazard a guess it was probably more, you know?
JACK: Hot dog, 80,000 Sophos Firewalls hacked into. But just because someone put a URL in place where it shouldn’t be, that’s not all that damaging just by itself. So, the team investigated what that URL did, and that’s when they started to panic. The URL would trigger a git request in order to update the Sophos Firewall itself.
CRAIG: But what was really weird about it is that it was a wget to a domain called sophosfirewallupdate.com.
JACK: Sophos didn’t own that domain. So, it tried to blend in like it was supposed to be there, and it fooled many of the people even at Sophos who just figured the update domains changed. But my goodness, this meant suddenly 80,000 firewalls were looking somewhere else for updates and not to Sophos.
CRAIG: It’s kinda strange because we actually monitor all domain registrations. It was kinda part of our core security ops function. So, every single cert that was registered, every domain that was registered, we kinda pop up, and anything infringed on Sophos IP we’d attempt to pull back, you know? It was one that had popped up a little while ago, but nothing had kinda come of it. But actually seeing this thing in operation was quite jarring.
JACK: I don’t know if you fully understand what this means. If a malicious actor is able to send your firewall software updates, then they can put in whatever they want. They can give themselves full access to the firewall or they can log all traffic going through it. They can poke a hole in the firewall and let themselves right into your network, and then from there they could just infect your whole network with ransomware. The thing that is supposed to block unwanted traffic is no longer blocking anything if the attacker wants it that way. Not only that; Sophos was worried that they had lost capability to update any of their firewalls properly.
CRAIG: Yeah, so effectively, what they could do — I mean, the truth is anything. But what they really were after was system configuration and passwords. Now, I’ve always suspected that this was something that they expected to run quietly, for them to kinda pool that configuration, the passwords, quietly, and then for them to kinda delete any presence they ever had on those firewalls, and then for them to have a really easy and simple access campaign.
JACK: [Music] Jeesh, so the attackers took copies of the configurations from the firewalls and then passwords from it? This was a pretty darn scary event for the Sophos team to handle.
CRAIG: So, it was very much an incredibly tense situation where we first had to get ahold of one of these devices. We set multiple teams up to work out what happened and to really do some in-depth incident response on this. We were incredibly lucky. We had the entire arm of Sophos Labs to help us reverse-engineer this stuff.
JACK: Okay, step one, fix the bug that made these things vulnerable. Step two is get the bug fix on as many firewalls as soon as possible. They were able to complete step one pretty quick, but step two was a little bit more tricky. If you buy a firewall whether for your home or a large enterprise, typically you’ve got to update it yourself, just like how you have to do your own software updates on your phone or computer. Sophos Firewalls are no different. The customers are the ones who have to issue updates for this thing. But to Sophos, this was too critical of a bug to try to tell 80,000 customers, go update your firewalls, because I’m just guessing that less than 50% of them would do it in the first month. There’s just not enough time or it’s not a high enough priority for them to fix it. So, Sophos decided to do something they’ve never done before.
ANDREW: They pushed out a hot fix to these firewalls. A hot fix is like a little software patch that can run in real time, and they can live update all the firewalls remotely with these hot fixes. It doesn’t require the firewall to reboot to be enabled. They felt like they had analyzed the attack and figured out exactly how the threat actors were leveraging their access, and they closed those loopholes with the hot fix.
JACK: This was the first time Sophos ever issued a hot fix to one of their customers’ devices.
ANDREW: Now, they had built the facility to do hot fixes and they had not really used them before this. So, there had been no real reason to do it. But I think they had built in the capability to do these hot fixes anticipating that there might be an opportunity to use it if there was something that was a real problem. It was fortunate that they had rolled this out in the previous firmware update just before this attack had taken place.
JACK: Yeah, I think this is a really big deal. It makes me wonder if there’s language in the small print of the terms of service that says Sophos reserves the right to make configuration changes to your firewall or update it whenever they want.
CRAIG: I think that’s what’s important as well, is like, this isn’t something that’s just kinda done, and it’s not something that’s done willy-nilly, you know? You’re right; it does feel kind of offensive, someone coming in and tampering with my stuff, but effectively it’s written into the EULA, the End User License Agreement. You kinda need this, and I think that’s where a lot of firewall providers actually fail, is the fact that they rely on end users to patch everything. Candidly, so many firewalls are just bought and they’re never updated, you know?
JACK: Gosh, I really don’t know where I stand on this. I was a firewall admin for my previous employer for ten years. Those Cisco firewalls were my babies. I knew everything about them and would review every single change that ever took place on them, and I don’t think I would like it if Cisco just decided to patch them one day without my consent. Like, some were in hospitals that were mission critical, and some hadn’t been patched for years because they were so finicky, and any change to them would just make them wig out and crash. When I had to update them, I wouldn’t do them all at once in one big swoop.
I’d do them one at a time and hold their hand and make sure that nothing broke after the upgrade and everything came back up as expected. So, if a security vendor just slapped a hot fix on all my firewalls that I was in charge of, I would freak out. What? We did not get approval for this change. We aren’t in a maintenance window. We don’t even know what changes you made to the firewall or what’s happening. How can you just come into our devices and make changes without us knowing? I would be upset. I wondered, did the Sophos team get approval from their lawyers before issuing a hot fix to their customers like this? Is this even legal?
ANDREW: Yeah, I mean, that’s a great question. I was not privy to those discussions, but there were — I’m sure there were discussions like that about what is early liability, what are we allowed to do and not do remotely on these devices. I believe ultimately the decision was made — and I’m not sure if there were lawyers consulted on this or not, but it made a lot of sense that the harm of allowing the firewalls to basically try to ransomware the inside of networks was probably greater than the risk of somebody complaining that, oh, you made a change to my firewall without telling me first. So, they just went ahead and did it.
JACK: Yeah, I mean, I think not only that, but it’s like this idea that the vendor can come in and change my device in any way. It’s not just crash logs that are being sent to it. It’s, wow, what else can you do? If you could put a hot fix in, can you see the password? Can you see the connections? Can you see — can you come in and do other work? Can you update to a different firmware that has malware on it or something? Could you do things that…? You start — your mind starts going. Like, could you do things that the NSA wants you to do and go and spy on this customer or something like that, right? So, when you’re a firewall admin, you’re like, no, I have to make sure that this is — no other person on the planet can access this but me and the people on my team, because you can’t risk some — a backdoor. It’s basically a backdoor that you had.
ANDREW: Yeah, that’s entirely accurate, and you’re not wrong. These are devices that are typically placed in a position in the network where they act as the barrier between the outside and the inside worlds of the networks, and I recognize that that is a risk. However, it is also worth noting that this is exactly what the bad guys were doing at this moment. They were installing malware inside the firewall. So, how do you fix that?
JACK: [Music] I could just imagine the headlines at this point and just — my question is, did any bad news come out to be like, Sophos found vulnerable? Tens of thousands of customers impacted. Huge vulnerability. Hacker has complete control over their firewalls. Patch immediately. That could make the stock tumble. That could really hurt business.
ANDREW: Yeah, it could, and that was one of the reasons that I was brought in basically on day zero of this happening. The company realized that they had a public — a potential public relations nightmare on their hands, and they needed to communicate as openly and as forthrightly as possible everything that they knew and everything that they were doing to fix it. Credit goes to the people in leadership at the company who decided that possibly against the conventional wisdom at the time that they were gonna go public with everything we knew about this attack.
It was not a common thing at that time, but as I said, I’ve worked for a long time doing this kind of — in this kind of role where I do investigations and then publish about them to the public to warn people about bad things that are happening on the internet, and it’s been my experience that the more information that you get out, the better protected people are, and that being radically transparent benefits everyone. It helps the customers who are affected. It also warns the public that, hey, this is something that you need to be aware of in the future, and it might also put the threat actors on notice that, hey, we’re watching you and we’re taking action to stop you.
JACK: As the Sophos team investigated this more, they learned that whoever did this attack had to have really in-depth knowledge of Sophos Firewalls. Like, there’s no way they should have discovered this bug unless they had access to the source code, which wasn’t publicly available, and that’s when the pieces started clicking into place. The part of this firewall that was vulnerable was code from the Cyberoam firewall that was moved over to the Sophos Firewall. Two years before this, as you know, there was an attack on Cyberoam. What server did the attackers get access to?
The one with the source code for their firewall. So, they started to think, holy crap, this is a very serious threat actor who’s been attacking us for years. They spent tons of effort getting into Cyberoam’s network to steal the source code only to study it for bugs and then launch a massive attack on our Sophos Firewalls. Whoa, what do we even do with this information? To think your products are the target for a major cybersecurity campaign like this? This is starting to smell like a nation-state actor is behind this. Who else has that much time and resources? What the heck was the deal with someone from China submitted this bug the exact same time that Sophos discovered this? Very strange.
CRAIG: One of the things that we’d been kinda working on but even before this situation was pooling in our telemetry, our firewall telemetry, the kinda basic telemetry I was talking about earlier into Splunk. I remember talking to Mark, who was just this amazing Splunk engineer on my team. I said, well, can we go back on that day? Can we find when this first started? ‘Cause I couldn’t quite work out the exact moment in time or the first firewall that was hit by this Asnarok attack. Then I went back. How far does that data go back? Then Mark said, well, actually, I think I’ve got three month’s worth. [Music] So, we kinda rolled this thing back three months, and there was one single device that had been hit a month or so beforehand, like sometime in February, if my memory serves me right, and it was just really strange. So, it was kinda registered to a Chinese 163 address, and it sat, again, in Chengdu.
JACK: Chengdu, China, again? That’s where the person who submitted the bug was from. So, they took this firewall, and again, this one was running a trial license which was actually just a software-based firewall running in a virtual machine. It’s a virtual machine because Sophos isn’t allowed to sell their firewalls to China due to export controls. So, really, nobody in China should even have a Sophos Firewall. Their suspicion was that the attackers were using this virtual firewall to practice their attacks against, develop them, and then unleash them against the world. Because Sophos has the ability to run in a virtual machine with trial licenses, they can just spin one up real quick, try attacks on it. If they mess up the firewall they can just reboot it, take it down, and bring a fresh one up in minutes.
CRAIG: We found this trial license, and they resolved to 163 address and a moniker that we called gbigmau.
JACK: Okay, interesting. They looked up who registered that trial license, and this gave them an IP address, a username, and an e-mail address. The username was gbigmau. So, now you pivot on that name. What other Sophos products has gbigmau downloaded?
CRAIG: We kinda pivoted on him. We found that he actually started to experiment with this database or SQL injection a month or so ago. We kinda found then, looking at his IP address — again, we had phenomenal telemetry here — that he was looking at different knowledge-base articles around our previous CVEs, issues. He was looking through our forum system to look at maybe other potential issues or places that he could maybe pivot and work on.
JACK: Then they took a look at his e-mail address and wondered, has this e-mail address been used anywhere else in the world? So, they do some OSINT investigation to see if this e-mail is known anywhere else.
CRAIG: We found that he was an actual firewall researcher, and he published a number of different vulnerabilities. We could see him in Linux boards publishing various different router vulnerabilities up until about 2018, and then he went silent. He’d been really, really busy up until like 2018. Now, we kinda find out that he was working for a company called Sichuan Silence Information Security Technology, mostly because doing some extra OSINT we found that his username appeared in many Chinese hacking groups and lots of CTFs. So, like capture-the-flag type events where he’d been registered towards this company as well. So, we found corroborating evidence from a couple of different places that this was the same guy in the same company, again, located in Chengdu in China.
So, we found a really clear picture of who this person was. Now, his external opsec was pretty good. You would not have been able to find him that easily. But because we could see the internal telemetry and get the license information, we kinda connect the dots. We could actually pin these devices to him and his usage. But what we had to do at that point was find out more about these devices that were being used for research. We find that from the limited telemetry that we’d started to gather with the first hot fix — but what we realized is we actually needed more. We really needed more detail, faster detail to a greater depth to understand what these guys were doing. So, we developed a kernel implant in-house.
JACK: [Music] A kernel implant, that’s a nice way to say it. I guess when the good guys make it it’s called an implant, but if the bad guys were to make it, it would just be called malware. But essentially, a kernel implant is a hidden piece of software that they developed to sneak onto their firewalls to covertly and sneakily spy on what the firewall is doing.
ANDREW: Yeah, so there’s a lot of interest within the company. Well, we know that there’s these firewalls that have been registered to people who have non-corporate or non-enterprise-level e-mail addresses, like free webmail addresses. The firewalls are checking in all from Chengdu. We know they’re serial numbers, so we know the exact count of the number of firewalls that are being used in these places, and we could see from some of the log telemetry that the threat actors are running commands that are testing how these exploits are gonna work. But we don’t have the exploit code itself. So, the security team decides they’re going to build something that they just call the implant, or sometimes they call it the kernel implant, and it’s a small ELF binary that gets distributed only to the machines that they are specifically interested in taking a closer look at.
So, these machines that they believe are being operated by threat actors where they’re doing these commands that are way outside of the boundaries of normal firewall behavior. These things are capable of doing more than just sending log entries. They’re able to pick arbitrary fields from the file system on the firewall and send those files back. So, that was how, in some cases, the team started throwing these kernel implants onto some of these firewalls that we could see were being used to do this experimentation, and they were retrieving all sorts of very malicious and pretty dangerous files that were being dropped on these machines by the people who were developing these exploits and were testing them out in advance of attacks.
JACK: Wow, that is wild. This is going to take me a minute to fully grasp. Sophos developed an implant and sneakily put it on one of their customers’ devices to essentially spy on them. Is that going too far?
ANDREW: To call it malware is kind of a — it’s kind of a misnomer. I’m not gonna defend the overall argument here, but I will just say that there is nothing malicious about wanting to know what someone who is doing malicious things with your product is doing. It’s kind of a — it’s an ethical gray area.
CRAIG: I’ve gotta caveat this with we only ever deployed this to devices where we would be absolutely certain that they were a threat-actor device. There’s…
JACK: And not just threat-actor controlled, but threat-actor owned. Like, this is where they’re doing their research.
CRAIG: Exactly. So, number one, we never deployed it to any properly licensed devices. The second part is we only ever deployed it to Chinese devices. We just didn’t sell firewalls in China, so there was really — unless you were a company maybe bringing one from external, there was no real reason for you to actually have one legitimately in China. So, under the EULA, we could take steps to protect the firewall and gather intelligence, and that was covered clearly under the EULA. Now, the other aspect…
JACK: So, that’s what — forty people in the room, the lawyers must be in there, too. Like, are we allowed to hack into these devices?
CRAIG: That was a serious conversation we had, yeah. It wasn’t just a small one, either. I mean, I don’t think people have ever done this before, you know? We sat there debating this thing for hours, and really hours, because there’s some serious ethical challenges around this. It’s not — what happens if we find the guy? We record him, we see him doing it, and we send it through to law enforcement. There’s so many crazy things that could be discussed there. It’s a conversation I never thought in my entire career that I would have, you know? Candidly, too, I never thought legitimately in my entire career that I’d ever deploy a kernel implant either, you know? But it was certainly interesting.
JACK: Wow, I’ve never heard of a security vendor doing anything like this, adding in stealthy, secret implants to spy on their users? In my opinion spyware is malware. Gosh, before hearing all this, I would have said that is going too far. But now, now I’m not sure. My ethics are really being challenged here.
CRAIG: Again, I had amazing access to just quite incredible engineers. They built this kernel implant that allowed us to basically move Sophos Firewalls from a normal update path to a specific update wing, and we would then deploy this specialist kernel implant in a normal update, and you just wouldn’t see it. But what it allowed us to do was grab anything being needed from the device. So, for example, things like files, if there were entry updates. It would kinda record anything that was kinda written to specific writeable directories.
It would start to give us a really good idea of what they were doing, what they were writing, why they were doing it. But some of the really cool things that we actually got from it were quite unexpected. So, for example, we started to pick up on the devices around the firewall. [Music] So, we’d capture all the Mac addresses of devices connecting to this firewall. We’d also capture Mac addresses of things that also sat in the network alongside the firewall. Then we suddenly realized that actually, this is huge. This isn’t just Sophos Firewalls. We’re seeing other vendors’ devices on the same subnet alongside the Sophos Firewall. They were looking at all sorts of devices. You can probably pull from the top of your head thinking about things that have been attacked in the last couple of years, the devices that were in the rack alongside that Sophos Firewall.
JACK: Oh, wow. So, the firewalls that come to mind for me are Cisco, Palo Alto, Juniper, Check Point, Fortinet. He says he saw other vendor firewalls set up alongside their firewall in this threat actor’s lab.
ANDREW: Now, just being the person who’s telling the story of what happened, we were observing in the world not just Sophos Firewalls but every firewall vendor getting hit with zero-days. There are customers being attacked in various ways, and there being no way to resolve this, and certainly no way to anticipate it. Now, whether or not other companies were doing the same thing, no one else has disclosed that. But I don’t think it’s outside the realm of possibility to think that maybe some of them were.
JACK: Oh man, this is now tugging at me in new ways. If every firewall vendor is getting hit with the same type of attack, and Sophos is the only one being transparent about what they’re seeing and what they’re doing to mitigate this, then yeah, I give them a lot of credit for that. Here’s the test, I think, for whether your company is evil or not. First, it has to be transparent to its customers. Let them know exactly what kind of configuration changes, updates, or spying or data collection you’re doing on your customers’ devices, and what circumstances, and what’s that being used for? Second, be proud of whatever it is you’re doing around that. If you’re a company which is making changes to the customers’ products but then not telling them and secretly adding spyware but making it so top-secret that not many people on your team even know it exists, then I think you might be evil.
If you’re afraid to let the public know exactly how you operate because you think it’s gonna look bad on you or maybe because you think it’s not even right, then either stop doing it or go public with it. Sophos came to the conclusion that while this is not an ideal situation, this threat is novel and sophisticated in ways nobody’s ever seen before. Not only that; whoever was doing this, they’re being unethical themselves. So, Sophos had to deploy a novel and sophisticated approach to defending their device. While it’s not pretty, at least they came out and told us about it through Andrew’s blog posts. They’re basically saying, hey, we’re in the middle of a nasty street fight here, and the gloves are off until we can neutralize this threat. Again, I give them a lot of credit for that. Nice job. So, at the same time, they were developing this implant to eavesdrop on the hackers. They were also in the process of studying those domains which were found in the exploited firewalls. The hackers pointed all the firewalls to two domains to get updates from, which were not owned by Sophos.
ANDREW: Yeah, well, there was sophosfirewallupdate.com and sophosproductupdate.com, which were registered at different registrars and hosted in different IP spaces. But because they were — they both had Sophos in the name and they were part of this attack, Sophos went to ICAN and did the domain name seizure process on those domains so that they could pull those down and start to — they wanted to sinkhole the domains and see what was connecting into them.
JACK: How do you seize a domain?
CRAIG: Well, with lawyers and money. It’s a really serious thing, attending court in Delaware, I think it was, you know, remotely. Because at the time, don’t forget that this is the thick of Covid.
JACK: Jeez, that’s another thing that’s wild to me, the fact that you can take over someone else’s domain if you can prove that you’re the one who’s the rightful owner of it or should be owning it. But they gave enough reasons to the courts, who then demanded that the domain registrar give Sophos control of the hacker’s malicious domains.
CRAIG: [Music] The server used by the threat actor actually sat in the Netherlands, and it was one of these bulletproof hosting providers. So, we were super lucky that through the NCSC in the Netherlands — they were kinda an intermediary with the Dutch National High-Tech Crime Unit. Once we can realize how this was panning out, the Dutch National High-Tech Crime Unit just jumped on this, and they managed to get hold of this C2 server, so the actual physical Linux box.
JACK: I guess it wasn’t bulletproof then, huh?
CRAIG: Well, yeah, this is the thing, you know? So, they managed to grab hold of it and — I mean, we were super keen to…
JACK: How do you even…? So, how does that happen? You convince the Dutch authorities — so, you’re just a company in the UK. You’re just like, hey, we make this product. You can’t just call up the Dutch police and say, go get that server; we need it. Then they’re like, we’re on it.
CRAIG: Well, yeah, you’d think, but then, luckily or unluckily for us, there were a couple of Dutch customers affected by this attack. So, that allowed us to be able to register a crime and then get assistance. We did this globally, you know? We really used all of the resources available to us. So, this obviously took time. I think right now this is like three or four days after the attack. But the NCSC in the Netherlands were incredible. The Dutch guys there were just super helpful. We wanted a copy of that threat actor device. Like, I wanted to see that Linux box and understand what they’d done. Obviously it was evidence now. It wasn’t owned by us. So, we couldn’t get a snapshot of it, for example. But they allowed us to basically work with them and analyze the box live on a screen share so we could actually understand the scale of what had happened.
We’d seen the threat actor’s scripts for scanning the devices, the outputs that they’d taken from the firewall, how they’d set this thing up, kinda Chinese characters and notes and things throughout the device. What was actually surprising was that everything was kinda set up manually on the C2 server. I kinda expected them to deliver the C2 server with some sort of devops pizzaz, but it was just basic. It was like a Linux box and then someone had copied some scripts to it. But they were amazing. The NCSC in the Netherlands just gave us so much help and really helped us focus what we — where we needed to look and the scope and scale of all of this.
JACK: At the same time they got control of the domains used by the hackers and sent all the traffic they were getting to a sinkhole and logged it all.
ANDREW: It’s just fascinating to think that like, I don’t know, a NETGEAR, a Linksys, some other commercial product was checking into sophosfirewallupdate.com. It almost screams of, well, we could be bothered to register this domain for Sophos. We’re not gonna bother to register it for these other companies. We already got the domain; we’re just gonna keep using it for these other things.
JACK: I couldn’t find a single article by Linksys mentioning any of this. Nothing at all. NETGEAR put out an advisory saying a Chinese threat actor is attacking their products. However, they say they are not aware of any NETGEAR devices being exploited out in the wild. Which, if they don’t have any telemetry from their customers’ products, then yeah, of course they’re not gonna know if any devices are being exploited. That’s what’s challenging me here. Should the firewall vendor be collecting logs off its customers’ devices in order to better understand what devices are actively being exploited, or should that be the responsibility of the customer? In many organizations they have their own security logs and even a team to monitor those logs to look for threats. Things like NETGEAR and Linksys are typically home devices, and it’s very rare for people in their own homes to be monitoring their logs looking for threats. I looked it up; NETGEAR actually does quite a lot of analytic collection from their customers’ devices.
They collect IP addresses, geolocation, how often you use the firewall and what you use the hardware for, what channels your Wi-Fi is set to, and what devices are connected to it. It’s surprising with all that analytics collected that they didn’t spot a single device being exploited by these threat actors. This is what frustrates me, when my home router is sending all kinds of logs to another company like what devices are connected to my router. Really? I hate that. I want the devices in my home to be private and not sending tons of data to somewhere without me even knowing, because if NETGEAR has that data, then it’s likely a lot of other people have it, too.
ANDREW: But then they also registered for the kill switch. They registered Ragnarok from Asgard, right? Ragnarok, of course, is the Norse mythology end-of-world myth. It was fascinating that that was how they used that nomenclature and that language behind it, because by this point we already had some folks who were using Marvel character superhero names in their user accounts that they were using for downloading these firewalls. So, we had a guy who used the handle of TStark who was involved in some of the exploit development and had registered a bunch of these virtual firewalls, and now we’re seeing — this is the time frame when the TV series Loki came out and when the Thor: Ragnarok movie had come out as well. It’s just fascinating to imagine that these guys who were doing this stuff saw themselves as some kind of superheroes or maybe they just put themselves in the shoes of — maybe they’re just — maybe they’re up there with gods and that they can engage in a hammer that can throw lightning from a distance at an enemy. It’s just fascinating to think about.
JACK: So, this is why Sophos called this particular exploit Asnarok, a combination of the words Asgard and Ragnarok. All these efforts on their side paid off. The implant gave them incredible insight into how these attackers were developing their exploits and were able to write fixes for the next exploits before the attackers could even launch them, which is incredible to be in the hackers’ machine watching them in order to be one step ahead of them. Good job, Sophos. This looks to be a pretty hairy threat actor that you’re dealing with. But little did everyone know, that was just round one. We’re going to take a quick ad break, but stay with us because round two gets even hairier. Yeah, so, that kinda wraps up round one. You identified, you fixed, you cleared, you found all the ones that didn’t get fixed, you found and fixed those, and took down the whole infrastructure that was doing it. Done. That’s patched permanently, 100%. There’s nothing that no customer has that’s not patched. We’re good.
CRAIG: Yeah. So, everything I’ve just described to you happened over four days.
JACK: [Laughs] Four days.
CRAIG: Yeah, when you think about it, it’s insane. It was basically one of the largest, widest incident response operations on Earth, and we did it in four days.
JACK: Wow.
CRAIG: I still think about it now. It was a crazy situation. But we were lucky. We had an amazing team. Things aligned.
JACK: Amazing. That’s gotta be one of those four days that is permanently in your head, like a light bulb experience of work. A lot of people I bring on the show and I say, tell me about the worst day of your life. Would you say that that’s probably it?
CRAIG: I wouldn’t say it was the worst day. I would probably say it was an experience, right? I mean, I remember thinking at the time, oh my god, this just can’t get any worse. Every time we’d kinda look at this there’d be something else. Or, I remember as these devices were checking into telemetry we’d just see the number of affected devices grow, and I remember feeling just this gut-wrenching feeling of like, ugh.
ANDREW: [Music] Within about, I don’t know, six to eight weeks after the hot fixes were rolled out, the threat actors had figured out what the hot fix did to make it impossible for the Ragnarok attack to work, and they had done a workaround. They had just bounced their attack around the thing that the hot fix was able to, in a very rapid way, cluge together to make it not work. They cluged together something that got around that hot fix.
JACK: Wham. Round two officially begins. More Sophos Firewalls are getting hit with a brand-new vulnerability, one that Sophos had no idea was even possible. But Sophos was ready. They even developed a specialized team just to handle this, X-Ops. So, X-Ops jumped on it. They saw what the vulnerability was, they wrote a fix for it, and started immediately trying to patch the firewalls.
ANDREW: The team starts to realize we need to give these things names, because if we’re gonna be having these attacks happen in sequence, in short order, to just keep straight we need to come up with names. So, they decide to use the names of locations around the Pacific Rim as the code names for these internal attacks. So, they give this attack a nickname, Baja. It doesn’t have anything to do with Mexico. It’s just — they just decided that they want to talk about it in the sense of it’s on the Pacific Rim which is a region of the world where volcanoes and earthquakes happen, right? So, it’s a place of turmoil.
JACK: So, internally Sophos realized this attack is bigger than a single attack. This attack is linked to multiple attack campaigns against their product. So, they called this whole series of incidents the Pacific Rim Campaign.
ANDREW: So, what the threat actors figured out when they were doing this — the development of this Baja attack was they watched Sophos and they watched how the hot fix mechanism worked. They learned how to develop a new exploit, but also they started to develop technology and technique to get around hot fixes. So, they would — they figured out how hot fixes were being deployed on firewalls and they were slowly starting to turn off features inside the firewall that allow the hot fixes to launch and run and do their fixing. Now, at this time they’re putting just regular old web shells on the firewalls.
JACK: A shell is like CLI access to a computer. A web shell is having remote CLI access to a computer over the internet. What the threat actors did this round was simply give themselves remote access to as many Sophos Firewalls as they could. This also removed the need for the attackers to use command-and-control servers, because they could just log in directly to the firewall whenever they wanted and do whatever they wanted to it, which again is a huge problem. You should not allow attackers to enter your firewall on the internet. This is like the security guard of the building suddenly being remote-controlled by the bad guys.
CRAIG: In June we had seen this attack happen, obviously. It was an Apache module issue and it was chained with a local privilege escalation. So, it’s basically, again, any device that had one facing way portal could be affected, which was a lot of devices.
JACK: The threat actor set up these web shells where they just needed a username and a password to log in. So, the Sophos team tried to crack that password, but they couldn’t for some reason.
CRAIG: Actually, I think we unsuccessfully tried to crack the hash of the password, but I think eventually we find out that the actual password was Gucci. Now — which was — we come across this a while later because it seemed to be a common password for Chinese threat actors to use the word Gucci. Now, I have no idea why. We find — I think at the time it was about 175, 200 devices that were affected.
JACK: Okay, so one thing you want to do in your investigation is just try to see if there’s a commonality of what firewalls are being exploited like this, and that might give you a clue as to what might be next or who’s behind this. So, they start looking to see where these firewalls exist in the world and for which customers.
CRAIG: Yeah, so this one was very much a target. The first attack was very much a spray-and-pray type attack. This was specific devices around the Asia Pacific area like Taiwan, Pakistan, places like Philippines, very much target, completely different to the first attack. We kinda found that this one had delivered payloads that had been used in earlier attacks as well. So, again, two Linux shell scripts. So, we were able to kinda connect it back to a specific actor. We had obviously seen these specific files and hashes on the device that we’d been tracking, and then eventually we see it being used. Now, what was kinda interesting about the way that we developed these is we’d kinda see them starting to work.
Now, obviously they’d be working Chinese hours. They work nine to five. We’d see them with amazing opsec externally, but the opsec they had on the box was atrocious. So, they would be, for example, working with crash dumps. You could set up the Sophos Firewall — if you ever had a kernel crash or a crash of any sort, it would e-mail you the crash logs to your e-mail address. Well, these guys would use their personal e-mail addresses. [Music] So, imagine, the actual firewall is registered to a completely anonymous person, and then we have linked e-mail addresses and Gmail addresses inside the firewall telemetry, ‘cause I guess it was probably quickest and easiest for them to grab the stuff from their personal mail, you know? It was super easy for us to OSINT exactly who these people were.
ANDREW: They start looking back in time at the telemetry that they collected and they discover that this was another bug that someone had submitted a bug bounty for and gotten payout on, and here it is being used in the wild just days after the payout happens. So, this is starting to get to be a pattern. The attacks are widespread. People are getting noticed about it. So, I get called in and have to decode how the whole attack works and do another flow chart similar to what we did with Asnarok to do the Baja attack.
JACK: These two names keep showing up again in their analysis of these attacks, which are gbigmau and TStark. These are the people who registered for trial licenses of Sophos Firewalls. They were in China, and the malware would show up on their device first, which would indicate this is where all this is originating from.
ANDREW: Well, one of the things that we can do — so, you got this telemetry tool that you could do basically wide-scale threat hunting within the firewalls themselves. So, you can do things like, okay, well, we recovered a piece of malware off of the very first machine that was — that belonged to a customer. Let’s see where else this malware exists on the universe of firewalls that are out there, and that was how they found TStark. So, TStark’s firewall was the first one where they found a copy of not just the same malware but the binary identical, the actual same file on this guy’s firewall, and it had been there for two months. So, he’d been experimenting with this piece of malware.
While the Asnarok attack was happening, he was basically planning the next one. In the middle of us dealing with the aftermath, they were already developing the exploit and building out the payload for that attack. Then the other thing that was really interesting was that we found a bunch of other stuff on this TStark guy’s firewall. His firewall had a bunch of malware on it that was designed to run on the Mac and on IOS, on iPads and iPhones. There is no conceivable reason why there would be a Mac executable on a — inside of a Sophos Firewall. It just — there’s no reason for that. So, that was an interesting find. We didn’t really understand what that was being used for, why that was there until much later.
JACK: Yeah, what was that?
ANDREW: So, this all happened in June. Starting around August, September, Sophos had started to communicate with other companies in the field, some of whom did forensic analysis, post-attack analysis for their customers. One of these companies is called Volexity. Volexity reached out to Sophos because they had a customer with Sophos Firewalls and they were called in to do the investigation on the Baja attack, and they had also discovered Mac OS and IOS software in their firewall, and Volexity came to Sophos and said, hey guys, is this — why is this here? We had no idea.
But it turned out — so, Volexity had figured out that the threat actors who were dropping these pieces of software on the Sophos Firewalls that they were investigating, that the owners of those firewalls were operating a charity that supports the Uyghur diaspora. The Uyghurs are an oppressed minority in China. They believe in Islam and they practice their faith, but they are strongly discouraged from doing so, and they’ve been put in prison camps and they’re — the story of the Uyghurs is outside of the scope of this podcast, but the point is is that there’s really only one organization that actually cares about these two groups of people, about surveillance of these two groups of people, and that is the government of China.
JACK: During that time they kept a close eye on the activity of gbigmau’s firewall, and they would see it would just get infected with a new vulnerability, which was like the fourth zero-day vulnerability on the Sophos Firewalls. Zero-day vulnerabilities are ones that Sophos doesn’t even know exist. They’ve had zero days to fix this, basically. For me, this is the point where I suddenly see the scale of all this. The first attack was scary already, but four zero-days on a security device discovered and leveraged by the same threat actor? That is a lot of time and resources put into finding ways to attack Sophos products. This isn’t just a group of kids or even some kind of cyber criminal which is focused on making money. When someone can spend this much resources and time focusing on getting into a very specific thing and spend years doing it, that’s typically a nation state behind it. The skills and patience were so impressive here, which meant Sophos had a lot of work ahead of them to fix this.
ANDREW: Absolutely. You can imagine the amount of work that this spins up and the way that it kind of balloons out of control as you discover that more and more pieces of the open-source code base that you’re using are being exploited in different ways. Yeah, who has time for all of that? If all you’re doing is just fixing these patches, that could be a full-time job. But you’re also supposed to be building out a product that has new features and response to customer requests and all other things. So, yeah, at a certain point it just becomes oppressive, the amount of patching that you have to do and the analysis involved in that, and fixing the firewall takes just as much QA. It takes time to build things that don’t break, and these are critical — I don’t want to say they’re critical infrastructure, but they’re protecting critical infrastructure.
CRAIG: Yeah, in reality, we’re at that point that the Sophos Firewall itself needed some hardening. That part’s fairly clear. There was an internal mission going on where dev resources had been pivoted to trying to harden certain elements of the operating system and web portal to really help us.
JACK: That web portal. I’ll tell you, man, the more ports you have open, the more vulnerable you are, and if you have a web portal, you’re gonna have a million different ways to mess with that thing.
CRAIG: You are.
JACK: In my — when I was a firewall admin, I was very adamant about zero exposure to the internet. No SSH port, no web portal. Nothing is allowed. The internet should be — able to access this firewall. If you want to get to this firewall, you have to come at it from the inside.
CRAIG: Exactly, and I wish every firewall admin acted like you, Jack, but in reality we have people who just put the firewall on the internet and they put the web portal out there. There was some legitimacy around putting your web portal out there because you had the admin portal, which is separate to the web portal. The web portal was where users picked up SSL profiles and things like that.
JACK: I mean, it is wild to think that someone or some team out there is working feverishly to find vulnerabilities in your product, and then to have an implant on their firewall so you could watch them develop their exploits, and the threat actor had no idea there was an implant on there watching what they were doing. The Sophos team did a really good job at hiding it so it would be really hard for them to notice.
CRAIG: [Music] It was really well hidden. So, we did start to get some really good telemetry and start to know these guys. Honestly, we were really obsessed with it. It was almost like obsession ops. We would just wait for this telemetry to come in and then we would be all over it. We’d start to dissect what they were doing, how they were working, if they’d add any new IP addresses. We start to OSINT and we’d start to build a picture of who these people were. There were multiple threat actors that we were watching at any one time. It’s kinda funny because I often think that external threat intelligence is very much like — almost like astrology, infosec astrology, where people are kinda connecting a technique to a specific threat actor group.
Dude, we had names. We could tie them to companies. Then we could tie it to threat actor group attribution. It was a really weird situation we were in. We had visibility that was just unreal. I remember at one point we had seen one of the actors searching for a flat. So, we started to work out he was looking for a flat. He was a normal dude. He’s going about his everyday life, probably sitting there bored in the lab having to run the same test ten times, thinking, oh, I really need to sort my housing situation. We’re there building this picture of his life. Honestly, we were obsessed by it. It really became like obsession ops.
JACK: Yeah, because since Craig had control of the firewall in that guy’s lab, he could essentially see all the traffic going through it, which gave him a unique look into this person’s life. With these new insights and closely watching everything that was going on, the Sophos team were able to quickly create fixes for the vulnerabilities to minimize the impact as best as they could. Phew. So, with all of these vulnerabilities fixed, round two of this battle came to a close. Sophos had a lot of bruises, but I think they won the battle.
CRAIG: Yeah, that’s it for round two, but there’s several par that is kinda useful. Number one, round two really validated our use of telemetry. It was the first time that we’d really used our implant. The other aspect of this as well is we had become really adept at finding these threat actor devices. So, we started to work out that obviously we identified this actor called gbigmau. But all in all, we were dealing with about seven different actors that we could see. Some of them were doing the same thing but in different locations. So, we kinda worked out quite quickly that they’re working for individual Chinese defense contractors because when you think about it like a government department, they’re not gonna duplicate the same work because effectively it’s always the same people working, where a defense contractor, everything is valuable to them.
If they’re the first to an exploit, that’s super valuable. So, what we found then is we found these multiple companies. One of the simplest ways we actually found it, funnily enough — and this sounds so basic — is that we would look at devices that would be continually going up and down firmware versions. These threat actor devices would constantly put the new, latest firmware on, roll it back, new firmware, roll it back. They’d do this, I don’t know, maybe five or six times a day. Whereas normal firewall operation, it’s like, it’s a new firmware and it’s left. Then in a month it gets new firmware and then it’s left. So, these things just stood out like a sore thumb. So, some of it came really easy to find these threat actors.
The more telemetry we had the easier it got. We started to really build a wide assortment of threat actors in China, the locations they had, and of course, their honestly piss-poor opsec that they had on the device itself just allowed us to start building out really quite wide profiles on them. Over this period we would start to really get an idea of how they were targeting things, and it was very much like seeing them do something, build an attack, know that this was coming, and having to wait for it to be deployed. [Music] If we went and pre-patched the devices continually, they would have noticed. They would know that the game was up. So, we kinda waited to understand what was happening. We’d wait for the first indication of deployment of whatever they were doing. I kinda run and patch it almost immediately. So, we had probably one of the craziest forward-going threat intelligence.
JACK: Oh, that’s crazy. Threat intelligence is simply the understanding of what threats you will face or have faced. This is why I think it’s really great having records of all attacks that your company has ever seen, because it’s incredibly valuable at helping you defend against future attacks. But in Sophos’ case, they knew exactly what threat was coming next and were 100% prepared for it the moment it would be seen. That’s really slick. That’s threat intelligence that’s on a whole new level. But even after two huge rounds of attacks against Sophos Firewalls and discovering four zero-day exploits on them, the war wasn’t over. The threat actors continued to develop more and more exploits for Sophos Firewalls.
ANDREW: Yeah, over time the threat actors were increasingly — they were targeting specific organizations or specific groups. They had identified who all of the customers were in those early attacks because they smacked all of the firewalls at once and grabbed some data.
JACK: Oh my gosh, I didn’t even think of that. So, if we back up and look at the way all this has progressed, first they hacked into Cyberoam only to get the source code for Sophos Firewalls, which gave them inside information to basically bug hunt. Then they infected 80,000 Sophos Firewalls with malware, taking all their configurations and information about the firewall itself, and then combed through that looking to see what targets are interesting to them, and now they’re being super precise about who they’re hitting. This campaign keeps evolving.
CRAIG: From 2021 onwards, it really pivoted towards a very sharp focus to discriminate attacks, really highly-targeted, hands-on-keyboard attacks against specific entities. So, for example, government agencies, critical infrastructure, research and development organizations, healthcare providers, everything from kinda retail through to military, even fine arts. Again, all focused in the APAC region.
JACK: Jeez, what a nightmare. I cannot imagine all these places getting hacked into through my security device. All these companies bought Sophos Firewalls to protect themselves, and it was that very firewall which allowed Chinese hackers in. Aah! At some point did you reach out to some of these victims to say, hey, I think the Chinese government is attacking you?
CRAIG: So, that’s one thing we did really extensively. Well, two things. One is we’d reach out to the customer. Again, it was — this was part of our philosophy of making sure that there was no further damage or no hurt. As well, we would reach out to either the localized law enforcement or if we had great ties to the local CERT or NCSC or whoever the local cyber authority was. Now, in the UK we had some amazing connections in the NCSC, and they would help us facilitate these connections out to all sorts of certs and bodies. They were incredibly supportive of us.
JACK: Yeah, I mean, what’s that call like to call up a government, a foreign government? I know you were just talking to the sysadmin there, but still; hey, you guys are getting hacked.
CRAIG: It’s pretty strange, you know? Not only that; when we sit there, obviously through translation, very often, explaining what we’ve seen and what happened and who we attribute it to. It’s a very strange experience, you know? Also, not as strange as calling up another firewall provider telling them that their box is being tooled over by a Chinese threat actor, and them asking us, well, how do you know? And not really being able to tell them how we know and why we know, but we definitively know. That’s a bit of a weird experience also.
JACK: At some point Cyberoam gets hacked into again.
ANDREW: [Music] Well, it turns out that the Cyberoam code is the predecessor to the XG Firewall code. So, Cyberoam was the company that Sophos bought, and their product became the XG Firewall. So, when — back in 2018 we’re talking about how the threat actors had stolen the source code. They were using some of that still to find additional vulnerabilities, and they found a vulnerability. At this point Cyberoam and the XG Firewall were in parallel operating, but Cyberoam was about to be fazed out. It was about to be end of life. The threat actors found a vulnerability that allowed them to create an admin-level account on the box with just a SQL injection query that was pre-authentication.
So, they could just hit the SQL server that was running on the firewall from the outside and run a command that was able to get it to add a user with admin access, and then they could log in on any Cyberoam firewall or — that they wanted to with that credential, and there was no easy fix for it. Because the product was close to end of life, Sophos just decided to rush it to end of life and get everybody who was running a Cyberoam firewall to upgrade to the latest XG and put that one to bed, because it was the point where if we had to start tracking attacks against Cyberoam and XG Firewalls, that would have taken the entire — all of the entire team’s resources all the time. At a certain point it just made better sense to end of life the product early.
JACK: It does make me think, though, if they were trying to get into Cyberoam to get its source code, they were probably trying to get into Sophos’ network as well trying to get source code.
ANDREW: I mean, yeah, that’s an interesting thing to hypothesize about, but I have no idea about that.
JACK: You should say, no, Sophos Firewalls are so good that they’ll block those guys. Don’t worry.
ANDREW: [Laughs] Well, I don’t work there anymore so I don’t have to defend them, but I do think that Sophos did have — it did seem to have better security practices than Cyberoam did.
JACK: Wow. So, after the threat actors found an exploit in the Cyberoam product and were actively exploiting that, Sophos just decided to kill that product altogether. Now, Andrew tells us it’s because it was already on its way of being killed, but I don’t want to diminish the idea that a cyber attack can have the effect of killing an entire product line. That’s a pretty big deal if you ask me. Anyway, somehow the French authorities investigated the Cyberoam intrusion and publicly announced that the attack was carried out by ABT31, just a Chinese state-sponsored hacker group. So, yeah, if it wasn’t clear by now, it should be. The Chinese government and military are the ones who are behind this attack campaign known as Pacific Rim, which has been going on for years at this point.
CRAIG: We started to see these actors working on more and more attack types, especially TStark. We found him working on a rootkit at the time. It was called libxselinux.so. We managed to capture it from his device, and it was like a customized userland rootkit. So, that was actually a real win for us. I remember feeling like, okay, yeah, we’ve really got a great view of what’s happening on these devices here now. Now, we actually grabbed these devices from the TStark device, but like a week later then, he’s got a completely new injection there, like a new vulnerability in web assembly, and it’s kinda unknown to us. Effectively what he was doing was he was — in this web assembly vulnerability he was injecting an Iframe into the proxies; things move through there, and we found that this thing — I think it was about two weeks or so after we found it had actually been deployed in Tibet. Now, this was — we found this on this device in Tibet for an organization that was basically providing support to Tibetan exiles. So, he basically moved from ten days to deployment.
JACK: Yeah, and I can’t remember which — I don’t know who said it. I feel like the president said something like, a business isn’t going to be able to take fire from a scud missile or a rocket launch. So, we can’t expect them to be able to take on attacks, cyber attacks, from nation-state actors as well. At this point you’re starting to feel confident that this is nation-state attack on your company to — and at this point there’s five or six different zero-days that they’ve discovered on you. That’s gotta be some of the most heart-wrenching, gut-sinking feelings to say, okay, I don’t know how we’re going to ever stop this attack. This might go on forever. What is your response to this mentally?
CRAIG: Honestly, I remember at that point just feeling exhausted, you know? This has been months and months and months of us fighting these — what is effectively the PLA, for all intents and purposes. The truth is, who else helps these organizations? That organization in Tibet had nowhere near enough resource to be able to deal with this. They were lucky that Volexity had been doing some pro bono work there. We’d reach out and help them as well. But in reality, if it hadn’t been for our graces, they would have been stuck.
It really comes down to this weird intersection on the internet of lawlessness. There’s just so many areas that just are not covered with anyone. In the UK we have the Serious Organized Crimes Unit and we have the NCSC who protects us, and the US at the FBI and the NSA. Many countries just don’t have anything, and this is the part that actually surprised me the most. Who do these people call to? We felt like heroes, but in reality, who are we to deal with this? We’re kinda woefully under-qualified to deal with a threat actor of that level. This felt like almost a military operation.
JACK: Yeah, suddenly your War Room doesn’t feel so up to snuff, right? You’re like, man, we’re nowhere compared to their War Room.
CRAIG: Exactly, you know? I think that’s what surprised me, is we were really on the edge of what is effectively cyber warfare, and it started to really tip into that feeling with this. But it was certainly interesting, and as a whole, seeing that payload being delivered there and understanding the purpose, why they delivered the payload, having seen it being built on a device in Chengdu like ten days, two weeks previously, it was just one of those crazy moments of like, oh my god, we really see this soup to nuts.
JACK: Now, when Sophos would issue a hot fix or patch their firewalls, they would tell their customer what the update was for, like bug fixes for several security vulnerabilities. To learn more visit our knowledge base. But Sophos discovered that the threat actors, TStark and gbigmau, were also accessing Sophos’ site, logging in, and reading the knowledge-base articles, too, to see what got patched. They were reading exactly what Sophos had fixed and then developed exploits to get around those patches. So, the Sophos team had to get increasingly vague with what got fixed to avoid giving the enemy information.
I suppose that’s a form of counterintelligence, being very careful what information you give your enemy, but it kinda contradicts what I said earlier about don’t be evil, right? If you’re not being transparent and you’re hiding what it is you’re doing, then you might be evil. In this case they had to hide it because they didn’t want their enemies to know this. This is so difficult to navigate. At that point the threat actors understood how the hot fixes were working and what telemetry Sophos was collecting off these firewalls, and so they developed an exploit to disable the hot fixes and to stop the telemetry from going back to Sophos to detect which devices were infected, and they took extra steps to hide their presence.
ANDREW: The threat actors are developing exploits and they’re developing malware and they’re coming up with new techniques for breaking into firewalls. The implant is revealing all of that stuff to the security team. So, behind the scenes the security team is rushing into production hot fixes and patches for the operating system to fix these vulnerabilities before the threat actor even knows. Because they have this ability to send the hot fixes not necessarily to every machine but maybe to every firewall except the ones that the threat actors are using, they can fix the whole universe of firewalls except for the ones that the threat actor is using, and I think after you’ve tried to deploy your second or third or fourth attack and it just doesn’t work and you’re scratching your head because it works in the lab — look, I can show you; I demonstrated it to these guys in the higher ups at the company or whoever’s telling me to do this attack that it works.
But in the wild it suddenly doesn’t work. I think after two or three times of shooting blanks, you’re gonna start to wonder, hey, is there something else going on? They started to look at, well, what is this info — what’s a firewall collecting about us, and are we inadvertently revealing as bad guys to the good guys what we are about to do? So, yeah, so they start looking at telemetry. They start looking at log collection and process lists, and they’re trying to build out the capabilities to be stealthy. It’s maybe distracting them from building custom malware or developing new exploits, but they have to spend a little bit of energy on — it puts them on the back foot. For the first time I think this is one of the cases where you can say, yeah, there were some challenges and we had some bad days early on, but we’re forcing the threat actors to have to make moves to counter us. Actually, that feels pretty good.
JACK: This story just goes on and on. There was another rootkit found. This is rootkit number four, libsophos.so.
ANDREW: Yeah. So, libsophos was the very custom rootkit. It was able to — and again, yeah, deleting logs, delete — hiding its presence on the machine, trying to do everything as stealthy as possible, low volume of outbound communication, and persistence. They’re experimenting with everything. They’ve been — it seems to me that the threat actors have been given carte blanche to just try an experiment with all sorts of different things. So, during this period from 20 — late 2020 to the end of 2022 we’re seeing a huge variety of different payloads, of exploits. It’s bad. It’s bad out there. It’s kind of like the Wild West, and you never know where something’s gonna come from.
JACK: [Music] At some point they saw the threat actor was trying to develop a UEFI bootkit. This is malware which infects the firewall at the bios, before the operating system even has a chance to boot up.
ANDREW: If you can get a bootkit into the UEFI bios of a device, there’s nothing that you can do in userland of the operating system to remove it, because it’s running at a level beyond which the operating system cannot reach.
JACK: Yeah, a bootkit like this would remain on the system even if you deleted everything and reinstalled the entire operating system again, since it lives in the part of the computer which loads before the operating system loads.
ANDREW: This was actually kinda scary to find this experimentation happening on one of the threat actor devices. They were really trying to figure out if they could get this bootkit to run on a firewall, and they ended up bricking the firewall. It didn’t work, and after we discovered what they were trying to do, the Sophos engineers figured out how to change the firmware on the firewall at that low level so that it wasn’t able to run, and they implemented that in an update. But that’s the scariest thing on all of this. I think the UEFI bootkit malware on a firewall is the holy grail. It’s where you’ve got malware on a firewall. It can’t be removed.
The firewall has to be thrown in the trash. It’s scary, and we’ve already seen that there’s been other firewall vendors where their recommendation was unplug this box and put it in the trash, because it is not safe to use anymore. So, it makes me wonder, because we never get the details from other reports about what happened, whether this was successful with other vendors, and whether they were testing this with us and it just failed because we were watching them and stuck a wrench in the works just at the right moment and made it too much of a pain in the butt for them to keep trying, and they just moved on to the next guy.
CRAIG: This was very much the end of my involvement in this, because I actually left Sophos at this time and went to work for the company I’m currently working for now. But I mean, from that point I kept in really close contact with my colleagues who were there, and we were sharing intel as things progressed. But there were two further published engagements, basically one in May of 2023 and then one in March of 2024, and then it kinda came to a head, which actually kinda — was kinda disappointing in a sense for me, because I think very often that this stuff hasn’t stopped. The devices are significantly more secure now. Sophos put an inordinate of time, effort, and money into hardening the devices. I would actually hazard to say that they’re probably the one firewall company that actually is secure now.
In all seriousness, though, I think it’s one of those aspects of you learn from your mistakes, Sophos being incredibly open and clear about this. Kudos to them. Being open about it and publishing your mistakes and also publishing what we did and how we worked through this is super unique. You don’t see any other firewall company talking about this. We know for sure that this stuff was happening across a multitude of other devices. The truth is it’s probably happening right now to some other firewall providers. We just — they just don’t know. They don’t collect telemetry. They don’t have the hot fix mechanism that allows them to forward defend you, and — yeah, it’s an issue. It’s still an issue.
ANDREW: One of the actors involved in all of this — we talked about him earlier. His name is — he used the handle gbigmau. We eventually figured out his real name. We have pictures of him. The guy appears on the FBI’s Ten Most Wanted list today. His name is Guan Tianfeng, and he was the researcher at this company called Sichuan Secret…
JACK: Silence Technology Company.
ANDREW: Yeah, Sichuan Silence Technology Company Ltd. Right? So, this guy made it his career to break into firewalls and find vulnerabilities and then pass them off to people who would take advantage of them. For all of his efforts — he’s in his early thirties — he has a $10 million reward for justice bounty on his head, and he can never travel outside of a non-extradition country in the world ever again without fearing for arrest and extradition to the United States. It just makes me wonder if it really was worth it to him, because in many respects he seems like a nice guy. At one point he had his heart in the right place. So, gbigmau, in his early days of working in this field, used to post on message boards trying to get firewall companies to fix their stuff. I can’t imagine what happened to turn him to make him break bad in this way.
JACK: It actually says in the FBI’s Cyber’s Most Wanted poster that this guy hacked into 80,000 Sophos Firewalls. Just because I’m curious, I took a look at a few dozen other FBI’s Cyber’s Most Wanted posters, and strangely, I don’t see any other person listed for hacking into other security vendors. So, again, hats off for Sophos for taking this threat actor so seriously and getting them on the FBI’s Cyber’s Most Wanted list.
ANDREW: The story, as we published it, finishes in 2024 not because the attacks stopped but because at a certain point you just gotta put a pin in it and say, we’re gonna stop here because if we keep talking about this, it never ends, because the attacks have continued ever since. Nothing has stopped. If there’s anything to be said about this, it’s that the cadence has picked up. It has broadened its scope. We are seeing every security company in the industry in various ways targeted in very similar ways.
(Outro): [Outro music] A big thank you to Andrew Brandt and Craig Jones for coming on the show and telling us this incredible story of how Sophos got targeted by a Chinese state-sponsored threat actor. This story is dang scary to me since the playing field is so unfair; a single company versus a superpower like China, and not only that, a superpower that’s lawless and feels absolutely no shame from breaking the law. You’d think that after their main guy was arrested by the FBI they’d pull back and maybe apologize, but no, they increased their efforts and are hitting harder than ever against so many security vendors, too. Hey, I really want you to become a premium subscriber to darknet diaries. All I’m asking is for you to buy me a cup of coffee once a month. This is my full-time job. This is how I make a living.
If I suddenly stopped making this show, would you be sad? If so, then you probably find it valuable, and I hope you support things that you find valuable. If you become a premium subscriber, you get ad-free episodes, bonus episodes, and coming up later this year is a new podcast I’ll be releasing, and you’ll be the first to listen to it, because it’ll only be available to premium subscribers for a while. So, please visit plus.darknetdiaries.com to support the show. Thanks. This episode was created by me, the lead firewall offender, Jack Rhysider. Our editor is the port-knocker, Tristan Ledger, mixing done by Proximity Sound, and our intro music is by the mysterious Breakmaster Cylinder. I named my firewall Linebacker because it’s great at blocking and tackling. This is Darknet Diaries.
[End of recording] Transcription performed by LeahTranscribes