174: Pacific Rim

Hi, I'm Jack Reciter, host of the show. Back in 2018, an interesting cyber attack took place. It's kind of a funny thing. I mean, it basically came onto my radar the second month I was working at Sophos. Oh, I should introduce you to Andrew. Yeah, so I'm Andrew Brandt. And throughout the time the research was going on for this story, I was a principal researcher for Sophos. But I am now a principal threat researcher for a company called NetCraft. So one of the things Sophos wanted Andrew to do was research novel threats and write about them on their newly established Sophos blog. The team that I was on eventually didn't exist. I was the only person on it. And one of the analysts reached out to me through the company chat and said, hey, I've got a great story for some really cool research. I'd like to write it up and have you publish it on the blog and do some edits on it. I said, great. Tell me more. And he told me the story. But the one thing he didn't tell or what he said he couldn't tell me was who the target was. So he's like, OK, fine. Send me what you got. Let me research it and I'll write about it. It started with a TV set. So there was a sales office and they had a bullpen. Like you have a lot of in a lot of sales offices where people are on the phone trying to sell the product. And so they had this leaderboard that was on a computer screen that was running off a little Linux computer. And that was the first machine that got infected. And the threat actors managed to pivot from that Intel NUC, which is like a tiny little computer that's small enough to mount on the back of a TV monitor that's hanging on the wall, that they were able to pivot from the NUC and find access to the repository where the source code was and then get into that. And then to do the cloud snooper attack on that cloud service that were the source code was. It's just mind boggling to me. Like the amount of effort involved in pivoting from this to this to this to get into this. And then to build this like backdoor that allows them access. It's amazing to me. Oh, the attackers got access to the source code. But why was this an insider trying to seek revenge? Were they stealing it in hopes to sell it to someone? Did they steal it so that they could copy the product and steal their intellectual property? At the time, nobody knew what their motive was. These are true stories from the dark side of the internet. I'm Jack Reissider. This is Dark Net Diaries. This episode is sponsored by Threat Locker. If you've listened to Dark Net Diaries for a while, you've already heard of Threat Locker. I've talked about how they lock environments down, deny by default, zero trust, all of it. But the problem they were solving changed because attackers changed. They don't break in like they used to. Now they just log in with real credentials, real sessions, nothing that looks out of place. Once they're in, they're treated like they belong. So Threat Locker took what they already were doing and pushed it further with their zero trust network access and zero trust cloud access. Now access isn't just about logging in, it's about the device, the connection, and whether any of it should be trusted at all. If you want to see what zero trust looks like when it's done right, go to ThreatLocker.com slash Dark Net. That's ThreatLocker.com slash Dark Net. This episode is sponsored by Meter, the company building networks from the ground up. If you employ and work with IT engineers, you're going to know how hard it is for them to do their job well. What your business needs is performance, reliable, secure networking infrastructure. But what you get is IT resource constraints, unpredictable pricing, and fragmented tools. What you and your engineers need is a modern platform you can all trust to support your business. Enter Meter. Meter delivers a complete networking stack, wired, wireless, and cellular, in one solution that's built for performance and scale. Alongside their partners, Meter designs the hardware, writes the firmware, builds the software, manages deployment, and runs support. That means less time your employees spend writing to multiple vendors and more time working and improving your IT systems. Meter's full stack solution covers everything from first site survey to ongoing support, giving you a single partner for all your connectivity needs. Thanks to Meter for sponsoring this show. Go to Meter.com slash Dark Net to book a demo now. That's spelled M-E-T-E-R. Meter.com slash Dark Net. And go book a demo. So hackers broke into a company and copied the source code for that product. So we managed InfoSec there for a while and Cundley too. It was the type of network that was in the process of being brought over to a set standard. This is Craig. He helped clean up the intrusion. So my name is Craig Jones. I'm the Chief Security Officer of Antinu. But several years ago, I was actually the Senior Director of Information Security inside Sophos. I mean, if you don't know Sophos, we're a UK-based cyber security provider that has everything from kind of EDR, MDR, and through into firewall products. And at the time, they had three different firewall products, one being Cyro, the other one being a Jamin-based firewall provider and the new Sophos firewall product. So essentially, they were collapsing two products into one and the new one being Sophos firewall. Yeah, Sophos' main product is their firewall. This is a network device that will act as a wall between a protected network and an unprotected one. Out of the box, nothing is allowed to pass. You have to tell it exactly what you want to allow through because the point of a firewall is to stop unwanted traffic from coming into your network. And believe me, there's a lot of unwanted traffic that's always trying to get into our networks. And in 2014, they bought another company called CyberRome, which was also making an interesting security product. That product, we were flattening that product to make it into something helps. Like CyberRome was very much purchased to be the development house for the new Sophos firewall product. There's some super hot developers there. And it was this newly acquired CyberRome network, which was the victim of this attack. Someone had gotten into CyberRome and was looking for their source code and founded for one of their products, which Craig and his team had to go clean up that intrusion. There's some really cool stuff that those actors did. There were several points where I sat down and thought, damn, these guys really know what they're doing. I think for me, there was one where they'd actually attempted to intrude the network in several different ways, mostly at the same time. And what was really interesting about it is we could tell that there were two or three actors working together in different consoles. And one of the things they did, which was kind of funny actually, was that they'd gotten hold of a secure shell key. And one had obviously copied it. And another person was trying to type in the password for it. And we could tell in the logs that they were mistyping the password. And the person who'd obviously taken the key had obviously tried to really onto another person. And they were mistyping this thing. And it was kind of crazy. You immediately knew then that this wasn't just like a dude. This was a serious operation. The attackers had really unique methods for getting in, not methods that were publicly known at the time. Super sneaky and crafty ways to get into a network. And they got in through multiple ways. And then when they got in, they were able to move laterally in really unique ways too. So unique that the Sophos team had no idea that stuff was even possible. It was like exploiting bugs in the way AWS handles identity. One problem though is that they didn't have enough monitoring at first to know exactly what these hackers saw or took. They assumed because they got access to the repository with the source code that they took the source code, but they were unsure. So they had to enable a lot more logging and monitoring to fully eradicate them from the cyber roam network. Andrew wrote this attack up because it was so interesting and new and published it on the Sophos blog, but didn't say who the target was. Yeah. So flash forward, two years go by. It's now 2020. You know, we now have the team up and running. I've got a couple of people working with me. We're publishing a few blogs a week. And I find out from internal people within the company that there's a security incident. And the security incident started with a tech support call where someone sent an email to their support technician and said, Hey, my firewall is showing this URL in the user interface and I didn't put it there. And I don't know why it's there. Hmm. It sounds like a minor problem at the surface. This firewall had a configuration which showed what IPs are allowed to access it and manage it and configure it. And a strange URL was showing up in that list of IPs. It didn't make any sense as to why it was there or why anyone would ever even put it there. So the Sophos has a firewall called the XG firewall. At this point, it was just called the XG firewall. And the firewall has its own operating system. It's running a version of Linux in it. It has a UI that's running on the front of it so that you can manage it. At the same time, someone outside of Sophos submitted a bug into Sophos for this same issue. I think it was April 21st. They had to, well, we actually had an external bug-binding report as a SQLI injunction. And what was kind of weird about it was, you know, they, I remember the user actually claiming to be from Australia, but they had a Chinese name, you know. Now at the time, we didn't have amazing telemetry from any of the Sophos firewalls. We had kind of base telemetry which gave you like, it was really designed for product managers to understand what features that, you know, users were using. So they understood where to put their kind of limited resource time into, right? Well, so we had that and we had a really good idea of like, you know, where all of the serial numbers for these devices sat and their IP addresses associated. So it's always kind of interesting to correlate the IP with the intended location of the researcher. So we got our researcher's devices, one that had never been turned on before, which was pretty suspicious, you know, had never been registered. It was a serial number that just come from a web trial of a VM. And we find the IP actually related back to Chengdao in China. Okay, odd. Someone from China with a trial license of the Sophos firewall found this bug and reported it to Sophos. And Sophos did in fact pay the bug bounty for this. It was about $10,000, I think. Someone got paid a pretty penny for reporting this bug to Sophos at almost the exact same time that they were seeing it being exploited by devices in the wild. Strange timing. We called it ASNAROK. So the team investigated this bug further. It was present in the front end web user interface of the firewall. To configure this firewall, you can use a browser and access it that way. Well, the web UI of this firewall had a SQL injection vulnerability in it. Basically, in one of the form fields of the firewall, like maybe the username field or something, an attacker could enter in some commands there, which would glitch out the user input handling mechanism of the firewall and allow the attacker to inject their own commands into the database of the firewall where the configuration sat. And this was a really bad bug for Sophos to discover. Their devices are supposed to be blocking hackers from getting into the network, yet it's the vulnerable device which is allowing hackers into it. This is not good at all. And they found that essentially every firewall that was facing the public Internet was affected by this bug. These firewalls weren't just vulnerable. They all had been hacked into, exploited. Someone probably scanned the whole Internet looking for these particular Sophos firewalls and then ran some kind of automation script to go infect them all. We kind of worked out that there were a huge amount of devices affected. I think in the aimed FBI report that came out by this, I think they mentioned 80,000. It has a guess that it's probably more, you know? A dog, 80,000 Sophos firewalls hacked into. But just because someone put a URL in place where it shouldn't be, that's not all that damaging just by itself. So the team investigated what that URL did and that's when they started to panic. The URL would trigger a GET request in order to update the Sophos firewall itself. But what was really weird about it is that it was a WGATE to a domain called SophosFarwallUpdate.com. And Sophos didn't own that domain. So it tried to blend in like it was supposed to be there and it fooled many of the people even at Sophos who just figured the update domains changed. But my goodness, this meant suddenly 80,000 firewalls were looking somewhere else for updates and not to Sophos? And it's kind of strange because we actually monitor all domain registrations. That's kind of part of our core security ops function. So every single cert that was registered, every domain that was registered, we kind of pop up and anything infringed on Sophos IP, we attempt to pull back. And it was one that had popped up like a little while ago, but nothing had kind of come of it. Actually seeing this thing in operation was quite jarring. And I don't know if you fully understand what this means. If a malicious actor is able to send your firewall software updates, then they can put in whatever they want. They can give themselves full access to the firewall or they can log all traffic going through it. They can poke a hole in the firewall and let themselves right into your network. And then from there, they can just infect your whole network with ransomware. The thing that is supposed to block unwanted traffic is no longer blocking anything if the attacker wants it that way. Not only that, Sophos was worried that they had lost capability to update any of their firewalls properly. Yeah, so effectively what they could do, I mean, the truth is anything, what they really were after was system configuration and passwords. Now, I've always suspected that this was something that they expected to run quietly. For them to kind of pull that configuration, the passwords quietly. And then for them to kind of delete any presence they ever had on those firewalls. And then for them to have a really easy and simple access campaign. Jeez, so the attackers took copies of the configurations from the firewalls and then passwords from it? This was a pretty darn scary event for the Sophos team to handle. So it was very much like an incredibly tense situation where we first had to get a hold of one of these devices. We set multiple teams up to work out what happened. And to really do some in-depth incident response on this, we're incredibly lucky. We had the entire arm of Sophos Labs to help us kind of reverse engineer this stuff. Okay, step one, fix the bug that made these things vulnerable. And step two is get the bug fixed on as many firewalls as soon as possible. They were able to complete step one pretty quick, but step two was a little bit more tricky. If you buy a firewall, whether for your home or a large enterprise, typically you've got to update it yourself. Just like how you have to do your own software updates on your phone or computer. And Sophos firewalls are no different. The customers are the ones who have to issue updates for this thing. But to Sophos, this was too critical of a bug to try to tell 80,000 customers go update your firewalls. Because I'm just guessing that like less than 50% of them would do it in the first month. There's just not enough time or it's not a high enough priority for them to fix it. So Sophos decided to do something they've never done before. They pushed out a hot fix to these firewalls. A hot fix is like a little software patch that can run in real time. They can live update all the firewalls remotely with these hot fixes. It doesn't require the firewall to reboot to be enabled. And they felt like they had analyzed the attack and figured out exactly how the threat actors were you know, leveraging their access. And they closed those loopholes with the hot fix. This was the first time Sophos ever issued a hot fix to one of their customers devices. Now they had built the facility to do hot fixes and they had not really used them before this. So there had been no real reason to do it. But I think they had built in the capability to do these hot fixes anticipating that there might be an opportunity to use it if there was something that was a real problem. And it was fortunate that they had rolled this out in the previous firmware update that you know, just before this attack had taken place. Yeah, I think this is a really big deal. Like it makes me wonder if there's language in the small print of the terms of service that says Sophos reserves the right to make configuration changes to your firewall or updated whenever they want. I think that's what's important as well is like this isn't something that's just kind of done. And it's not something that's done really nearly, you know. And you're right. I mean it does feel kind of offensive. Someone coming in tampering with my stuff, you know. But but effectively it's written into the the EULA like the end user license agreement. And and candidly you kind of need this. And I think that's where a lot of firewall providers actually fail is the fact that they rely on end users to patch everything. And and candidly so many firewalls are just bought and they never updated, you know. Gosh, I really don't know where I stand on this. I was a firewall admin for my previous employer for 10 years. Those Cisco firewalls were my babies. I knew everything about them. I would review every single change that ever took place on them. And I don't think I would like it if Cisco just decided to patch them one day without my consent. Like somewhere in hospitals that were mission critical and some hadn't been patched for years because they were so finicky and any change to them would just make them wig out and crash. And when I had to update them, I wouldn't do them all at once in one big swoop. I'd do them one at a time and hold their hand and make sure that nothing broke after the upgrade. And everything came back up as expected. So if a security vendor just slapped a hot fix on all my firewalls that I was in charge of, I would freak out. What? We did not get approval for this change. We aren't in a maintenance window. We don't even know what changes you made to the firewall or what's happening. How can you just come into our devices and make changes without us knowing? I would be upset. Like I wondered the Sophos team get approval from their lawyers before issuing a hot fix to their customers like this. Is this even legal? Yeah, I mean, that's a great question. I was not privy to those discussions. But I'm sure there were discussions like that about what is our legal liability? What are we allowed to do and not do remotely on these devices? I believe ultimately the decision was made. And I'm not sure if there were lawyers consulted on this or not, but made a lot of sense that the harm of allowing the firewalls to basically try to ransomware the inside of networks was probably greater than the risk of somebody complaining that, oh, you made a change to my firewall without telling me first. So they just went ahead and did it. Yeah, I mean, I think not only that, but it's like this idea that the vendor can come in and change my device. And in any way, it's not just like crash logs that are being sent to it. It's, wow, what else can you do? If you could put a hot fix in, can you see the password? Can you see the connections? Can you see, can you come in and do other work? Can you update two different firmware that has malware on them or something? Like, could you do things that, you know, and, you know, you start, your mind starts going, like, could you do things that the NSA wants you to do and go and spy on this customer or something like that? Right. And so when you're a firewall admin, you're like, no, I have to make sure that this is no other person in the planet can access this, but me and other people on my team, because you can't risk some, like, a back door. But it's basically a back door that you had. Yeah. That's entirely accurate. And you're not wrong. And these are devices that are typically placed in a position in the network where they act as the barrier between the outside and the inside worlds of your networks. And I recognize that that is a risk. However, and it is also worth noting that this is exactly what the bad guys were doing at this moment. They were installing malware inside the firewall. So how do you fix that? I could just imagine the headlines at this point. And just, I don't, I don't, my question is, did any bad news come out to be like, Sophos found vulnerable, tens of thousands of customers impacted, huge vulnerability, Hacker has complete control over their firewalls patch immediately. Like that could make the stock tumble. That could, you know, really hurt business. Yeah, I mean, it could. And that was one of the reasons that I was brought in basically on day zero of this happening. The company realized that they had a public, a potential public relations nightmare on their hands. And they needed to communicate as openly and as forthrightly as possible, everything that they knew and everything that they were doing to fix it. And, you know, credit goes to the people, you know, in leadership at the company who decided that, you know, possibly against the, you know, conventional wisdom at the time that they were going to go public with, with everything we knew about this attack. It was not a common thing at that time. But as I said, you know, I've worked for a long time doing this kind of, in this kind of role where I do investigations and then, you know, publish about them to the public to warn people about bad things that are happening on the internet. And it's been my experience that the more information that you get out, the better protected people are. And that being radically transparent benefits everyone. It helps the customers who are affected. It also warns the public that, like, hey, this is something that you need to be aware of in the future. And it might also put the threat actors on notice that, hey, we're watching you and we're taking action to stop you. As a Sofo team investigated this more, they learned that whoever did this attack had to have really in depth knowledge of Sophos firewalls. Like, there's no way they should have discovered this bug unless they had access to the source code, which wasn't publicly available. And that's when the pieces started clicking into place. The part of this firewall that was vulnerable was code from the cyber roam firewall that was moved over to the Sophos firewall. And two years before this, as you know, there was an attack on cyber roam. And what server did the attackers get access to? The one with the source code for their firewall. So they started to think, holy crap, this is a very serious threat actor who's been attacking us for years. They spent tons of effort getting into cyber roams network to steal the source code, only to study it for bugs and then launch a massive attack on our Sophos firewalls. Whoa, what do we even do with this information to think your products are the target for a major cybersecurity campaign like this? This is starting to smell like a nation state actor is behind this. Who else has that much time and resources? And what the heck was the deal with someone from China submitting this bug the exact same time that Sophos discovered this? Very strange. One of the things that we've been kind of working on, but even before this situation was, you know, pulling in our telemetry or firewall telemetry, the kind of basic telemetry I was talking about earlier into Splunk. And I remember talking to Mark, who was just this amazing Splunk engineer in my team. Like I said, well, can we go back on that data? Like, can we find out like when this first start because I couldn't quite work out the exact moment in time or the first firewall that was hit by this, this as an Iraq attack. And then I went back up, how far does that data go back? And then Mark said, well, actually, I think I've got like three months worth. So we kind of rolled this thing back three months. And there's one single device that had been hit like a month or so beforehand. Like sometime in February, if my memory serves me right. And it was just really strange. So it was kind of registered to like a Chinese 163 address on it. So again, in Chengdu, Chengdu, China again, that's where the person who submitted the bug was from. So they took this firewall. And again, this one was running a trial license, which was actually just a software based firewall running in a virtual machine. And it's a virtual machine because Sophos isn't allowed to sell their firewalls to China due to export controls. So really, nobody in China should even have a Sophos firewall. Their suspicion was that the attackers were using this virtual firewall to practice their attacks against develop them and then unleash them against the world. Because Sophos has the ability to run in a virtual machine with trial licenses, they can just spin one up real quick, try attacks on it. If they mess up the firewall, they can just reboot it, take it down, and bring a fresh one up in minutes. We found this trial license. And they were can also see it to a 163 address and a moniker that we called G Big Mao. Okay, interesting. They looked up who registered that trial license. And this gave them an IP address, a username and an email address. The username was G Big Mao. So now you pivot on that name. What other Sophos products has G Big Mao downloaded? We can pivot it on him. We found that he actually started to experiment with this with this database or SQL I injection like our mother so go. And we can found then looking at his IP address again, we had phenomenal telemetry here, that he was looking at different knowledge base articles around our kind of previous CVS issues. He was looking through our forum system to look at maybe other potential issues or places that he could maybe pivot and work on. Then they took a look at his email address and wondered, has this email address been used anywhere else in the world? So they do some OSINT investigation to see if this email is known anywhere else. And we find that he was an actual firewall researcher. And he published like a number of different like vulnerabilities. We could see him on kind of Linux boards, you know, publishing various different router vulnerabilities up until about 2018. And then he went silent. And he'd been really, really busy up until like 2018. Now we kind of found out that he was working for a company called Shenzhou Silence Information Security Technology. Mostly because doing some extra OSINT, we found that his username appeared in many like Chinese hacking groups and lots of CTFs. So like capture the flag type events where he'd been registered towards this company as well. So we found kind of corroborating evidence from a couple of different places that this was the same guy in the same company, you know, again, located in Shenzhou in China. So we found a really clear picture of who this person was. Now his external object was pretty good, you know, like you would not have been able to find him that easily. But because we could see the internal telemetry and get the license information kind of connect the dots, we could actually pin these devices to him in his usage. But what we had to do at that point was find out more about these devices that were being used for research. We found that from the limited telemetry that we started to gather with the first hot fix. But what we realized is we actually needed more, like we really needed more detail, faster detail to like a greater depth to understand what these guys were doing. So we developed a kernel implant in house. A kernel implant, that's a nice way to say it. I guess when the good guys make it, it's called an implant. But if the bad guys were to make it, it would just be called malware. But essentially a kernel implant is a hidden piece of software that they developed to sneak onto their firewalls to covertly and sneakily spy on what the firewall is doing. Yeah, so there's a lot of interest within the company. Well, we know that there's these firewalls that have been registered to people who have non-corporate or non-enterprise level email addresses, like free webmail addresses. The firewalls are checking in all from Chengdu. We know their serial numbers. So we know the exact count of the number of firewalls that are being used in these places. And we could see from some of the log telemetry that the threat actors are running commands that are testing how these exploits are going to work. But we don't have the exploit code itself. So the security team decides they're going to build something that they just call the implant, or sometimes they call it the kernel implant. And it's a small ELF binary that gets distributed only to the machines that they are specifically interested in taking a closer look at. So these machines that they believe are being operated by threat actors, where they're doing these commands that are way outside of the boundaries of normal firewall behavior. And these things are capable of doing more than just sending log entries. They're able to pick arbitrary fields from the file system on the firewall and send those files back. So that was how in some cases, in some cases, the team started throwing these kernel implants onto some of these firewalls that we could see were being used to do this experimentation. And they were retrieving all sorts of very malicious and pretty dangerous files that were being dropped on these machines by the people who were developing these exploits and were testing them out in advance of attacks. Wow, that is wild. This is going to take me a minute to fully grasp. Sophos developed an implant and sneakily put it on one of their customers' devices to essentially spy on them. Is that going too far? To call it malware is kind of a misnomer. I'm not going to defend the overall argument here, but I will just say that there is nothing malicious about wanting to know what someone who is doing malicious things with your product is doing. It's an ethical gray area. I've got to caveat this with we only ever deployed this to devices where we would be absolutely certain that they were a threat actor device. And not just threat actor controlled, but threat actor owned. This is where they're doing their research. Exactly. So number one, we never deployed it to any properly licensed devices. The second part is we only ever deployed it to Chinese devices. We just didn't sell firewalls in China. Unless you're accompanying, maybe bringing one from external, there's no real reason for you to actually have one legitimately in China. So under the Yula, we could take steps to protect the firewall and gather intelligence. And that's covered clearly under the Yula. So that's what you got 40 people in the room. The lawyers must be in there too. Like, are we allowed to hack into these devices that we think are owned? That was such a serious conversation we had. Yeah. I mean, it wasn't just a small one either. I don't think people have ever done this before. We sat there debating this thing for hours, and really hours, because there's some serious ethical challenges around this. It's not, but what happens if we find the guy, we record him, we see him doing it, and we send it through to law enforcement, like a wee facility. There's so many crazy things that we discussed there. Yeah. It's a conversation that I never thought in my entire career that I would have. Yeah. I mean, candidly to you, I never thought legitimately in my entire career that I never a kernel implant either. But it was certainly interesting. Well, I've never heard of a security vendor doing anything like this. Adding in stealthy secret implants to spy on their users, in my opinion, spyware is malware. And gosh, before hearing all this, I would have said, that is going too far. But now, not sure. My ethics are really being challenged here. And again, I had amazing access to just quite incredible engineers. They built this kernel implant that allowed us to basically move surface firewalls from like a normal update path to like a specific update wing. And we would then deploy this specialist kernel implant in a normal update. And you just wouldn't see it. But what it allowed us to do is like grab anything being needed from the device. So for example, things like files, if there were entry updates, it would kind of record anything that was kind of written to specific writable directories. And it would start to give us a really good idea of what they're doing, what they're writing, why they were doing it. But some of the really cool things that we actually got from it were quite unexpected. So for example, we started to pick up on the devices around the firewall. So we'd, you know, capture all the MAC addresses of devices connecting to this firewall. We'd also capture MAC addresses of things also sat in the network alongside the firewall. And then we suddenly realized that actually this is this is huge. This isn't just like surface firewalls. We've seen other vendors devices on the same subnet alongside the surface firewall, you know, they were looking at all sorts of devices. You could probably pull from the top of your head, thinking about things that have been attacked in the past couple of years, the devices that were in the rack alongside that surface firewall, you know. Oh, wow. So the firewalls that come to mind for me are like Cisco, Palo Alto, Juniper, Checkpoint, Fortinet. And he says he saw other vendor firewalls set up alongside their firewall in this threat actors lab. Now, just being the, you know, person who's telling this story of what happened, we were observing, you know, in the world, not just surface firewalls, but every firewall vendor getting hit with zero days. There are customers being, you know, attacked in various ways. And there being no way to resolve this and certainly no way to anticipate it. Now, whether or not other companies are doing the same thing, no one else has disclosed that. But I don't think it's outside the realm of possibility to think that maybe some of them were. Oh man, this is now tugging at me in new ways. If every firewall vendor is getting hit with the same type of attack, and so forth, this is the only one being transparent about what they're seeing and what they're doing to mitigate this, then yeah, I give them a lot of credit for that. Here's the test, I think, for whether your company is evil or not. First, it has to be transparent to its customers. Let them know exactly what kind of configuration changes, updates, or spying, or data collection you're doing on your customers devices, and in what circumstances, and what's that you're being used for. And second, be proud of whatever it is you're doing around that. If you're a company which is making changes to the customer's products, but then not telling them and secretly adding spyware, but making it so top secret that not many people on your team even know it exists, then I think you might be evil. If you're afraid to let the public know exactly how you operate, because you think it's going to look bad on you, or maybe because you think it's not even right, then either stop doing it or go public with it. And Sophos came to the conclusion that while this is not an ideal situation, this threat is novel and sophisticated in ways nobody has ever seen before. And not only that, whoever was doing this, they're being unethical themselves. So Sophos had to deploy a novel and sophisticated approach to defending their device. And while it's not pretty, at least they came out and told us about it through Andrew's blog posts. And they're basically saying, hey, we're in the middle of a nasty street fight here. And the gloves are off until we can neutralize this threat. And again, I give them a lot of credit for that. Nice job. So at the same time, they were developing this implant to eavesdrop on the hackers. They were also in the process of studying those domains which were found in the exploited firewalls. The hackers pointed all the firewalls to two domains to get updates from, which were not owned by Sophos. Yeah, well, there was there was Sophos Firewall Update.com and Sophos Product Update.com, which were registered at different registrars and hosted in different IP spaces. But because they were, they both had Sophos in the name and they were part of this attack, Sophos went to ICANN and did the domain name seizure process on those domains so that they could pull those down and start to, they wanted to sink all the domains and see what was connecting into them. How do you seize a domain? Well, with lawyers and money. And, you know, it's a really serious thing, you know, like attending court in Delaware, I think it was, you know, remotely. Because at the time, don't forget that this is the thick of COVID. Geez, that's another thing that's wild to me. The fact that you can take over someone else's domain, if you can prove that you're the one who's the rightful owner of it or should be owning it, but they gave enough reasons to the courts who then demanded that the domain registrar give Sophos control of the hackers' malicious domains. The server used by the threat actor actually sat in the Netherlands and it was one of these bulletproof, like, hosting providers. So we were super lucky that, you know, through the NCSC in the Netherlands, they were kind of an intermediary with the kind of Dutch national high-tech crime unit. And once we kind of realized how this was panning out, the Dutch national high-tech crime unit just jumped on this. And they managed to get hold of this C2 server, so the actual physical Linux box. I guess it was in bulletproof then, huh? Yeah, this is the thing, you know. So they managed to crack hold of it. And I mean, we were super keen to... So how does that happen? You convince the Dutch authorities, so you're just a company in the UK, you're just like, hey, we make this product. You can't just call up the Dutch police and say, go get that server, we need it. And then they're like, we're on it. Well, yeah, I mean, you'd think. But then, you know, luckily or unluckily for us, there were a couple of Dutch customers affected by this attack. So that allowed us to be able to register a crime and then get assistance. And we did this globally, you know. We really used all of the resources available to us. So, you know, this obviously took time. You know, I think right now this is like three or four days after the attack. But the NCSC in the Netherlands were incredible. And the Dutch guys there were just super helpful. I mean, we wanted a copy of that threat actor device. Like, I wanted to see that Linux box and understand what they've done. I mean, obviously, it was evidence now. It wasn't owned by us. So we couldn't get a snapshot of it, for example. But they allowed us to basically, you know, work with them and analyze the box live on a screen share. So we could actually understand the scale of what had happened, you know. And we'd seen the threat actor scripts for scanning the devices, the outputs that they'd taken from the firewall, you know, how they'd set this thing up, you know, kind of Chinese characters and notes and things throughout the device. What was actually surprising was that everything was kind of set up manually on the C2 server. I kind of expected them to deliver the C2 server with some sort of kind of dev ops pizzazz. But it was just basic, you know, it was like a Linux box and someone to copy subscripts to it, you know. But they were amazing. I mean, the NCSC in the Netherlands just gave us so much help and really helped us focus what we, you know, where we needed to look and the kind of scope and scale of all of this. At the same time, they got control of the domains used by the hackers and sent all the traffic they were getting to a sinkhole and logged it all. It's just fascinating to think that like, I don't know, a Netgear, a Linksys, you know, some other commercial product was checking into sofasfirewallupdate.com. It kind of, it's, it's, it's almost screams of like, well, you know, we, we could be bothered to register this domain for sofas. We're not going to bother to register it for these other companies. Like we already got the domain, we're just going to keep using it for these other things. I couldn't find a single article by Linksys mentioning any of this. Nothing at all. Netgear put out an advisory saying a Chinese threat actor is attacking their products. However, they say they are not aware of any Netgear devices being exploited out in the wild, which if they don't have any telemetry from their customers products, then yeah, of course, they're not going to know if any devices are being exploited. And that's what's challenging me here. Should the firewall vendor be collecting logs off its customers devices in order to better understand what devices are actively being exploited? Or should that be the responsibility of the customer? In many organizations, they have their own security logs and even a team to monitor those logs to look for threats. But things like Netgear and Linksys are typically home devices, and it's very rare for people in their own homes to be monitoring their logs looking for threats. I looked it up. Netgear actually does quite a lot of analytic collection from their customers devices. They collect IP addresses, geolocation, how often you use the firewall, what you use the hardware for, what channels your Wi-Fi is set to, and what devices are connected to it. It's surprising with all that analytics collected that they didn't spot a single device being exploited by these threat actors. And this is what frustrates me. When my home router is sending all kinds of logs to another company, like what devices are connected to my router? Really? I hate that. I want the devices in my home to be private and not sending tons of data to somewhere without me even knowing. Because if Netgear has that data, then it's likely a lot of other people have it too. But then they also registered for the for the kill switch. They registered Ragnarok from Asgard. And Ragnarok, of course, is the Norse mythology end of world myth. And it was fascinating that that was how they used that nomenclature and that language behind it. Because by this point, we already had some folks who were using Marvel characters, superhero names, in their user accounts that they were using for downloading these firewalls. We had a guy who used the handle of T Stark, who was who was involved in some of the exploit development and had registered a bunch of these virtual firewalls. And now we're seeing, you know, this is the time frame when the TV series Loki came out and when the Thor Ragnarok movie had come out as well. And it's just fascinating to imagine that these guys who were doing this stuff saw themselves as some kind of superheroes, or maybe they just put themselves in the shoes of that maybe they're just maybe they're up there with gods and that they can engage in a hammer that can throw lightning from a distance at an enemy. It's just fascinating to think about. So this is why Sofo's called this particular exploit Asnarok, a combination of the words Asgard and Ragnarok. And all these efforts on their side paid off. The implant gave them incredible insight into how these attackers were developing their exploits, and we're able to write fixes for the next exploits before the attackers could even launch them, which is incredible to be in the hacker's machine watching them in order to be one step ahead of them. Good job, Sofos. This looks to be a pretty hairy threat actor that you're dealing with. But little did everyone know that was just round one. We're going to take a quick ad break, but stay with us because round two gets even hairier. This episode is sponsored by Drata. Let's face it, if you're leading GRC at your organization, chances are you're drowning in a sea of spreadsheets every day. Balancing security, risk and compliance in an ever changing landscape of threats and regulatory frameworks can feel like running a never ending marathon. Enter Drata's a genetic trust management platform designed for leaders like you. Drata automates the tedious tasks, security questionnaires, responses, continuous evidence collection, and much more, saving you hundreds of hours each year. With Drata, you can spend less time chasing documents and more time solving real security problems. With Drata, you also get access to a powerful trust center, a live customizable product that supports you in expediting your never ending security review requests in the deal process. It's perfect for sharing your security posture with stakeholders or potential customers cutting down on the back and forth questions and building trust at every interaction. Ready to modernize your GRC program and take back your time? Visit drata.com slash darknet diaries to learn more. That's Drata spelled D-R-A-T-A drata.com slash darknet diaries. Yeah, so that kind of wraps up round one. You identified, you fixed, you cleared, you found all the ones that didn't get fixed, you found it fixed those and took down the whole infrastructure that was doing it. Done. That's patched like permanently 100%. There's nothing that no customer has that's not patched. We're good. Yeah. So everything I've just described to you happened over four days, which is just, yeah, what do you think about it? I mean, it's insane. It's basically one of the largest, widest incident response operations on earth and we did it in four days. Wow. And I still think about it now. It's like crazy situation, but we were lucky with amazing treatments, things aligned. Amazing. That's got to be one of those four days that is permanently in your head, like a light bulb experience of work. Like a lot of people are being on the show and I say, tell me about the worst day of your life. And would you say that that's probably it? I would say it was the worst day. I would probably say it was an experience, right? I mean, I remember thinking at the time, oh my God, this just can't get any worse. And every time we'd kind of look at this, there'd be something else. Or I remember as these devices were checking into telemetry, we'd just see the number of affected devices growing. I remember feeling like just this gut wrenching feeling of like, oh. Within about, I don't know, six to eight weeks after the hot fixes were rolled out, the threat actors had figured out what the hot fix did to make it impossible for the Ragnar architecture to work. And they had done a work around. They had just, you know, bounced their attack around the thing that the hot fix was able to, you know, in a very rapid way, cluj together to make it not work. They clujed together something that got around that hot fix. And wham, round two officially begins. More Sophos firewalls are getting hit with a brand new vulnerability, one that Sophos had no idea was even possible, but Sophos was ready. They even developed a specialized team just to handle this, XOPS. So XOPS jumped on it. They saw what the vulnerability was, they wrote a fix for it and started immediately trying to patch the firewalls. The team starts to realize, oh, we need to give these things names, because if we're going to be having these attacks happen in, you know, in sequence in short order, to just keep straight, we need to come up with names. So they decide to use the names of locations around the Pacific Rim as the code names for these internal attacks. So they give this attack a nickname Baja. It doesn't have anything to do with Mexico. It's just, they just decided that they want to talk about it in the sense of, you know, it's on the Pacific Rim, which is a region of the world where volcanoes and earthquakes happen, right? So it's a place of turmoil. So internally, Sophos realized this attack is bigger than a single attack. This attack is linked to multiple attack campaigns against their product. So they called this whole series of incidents the Pacific Rim Campaign. So what the threat actors figured out when they were doing this, the development of this Baja attack, is they watched Sophos and they watched how the hot fix mechanism worked. And they learned how to develop a new exploit, but also they started to develop technology and technique to get around hot fixes. So they figured out how hot fixes were being deployed on firewalls, and they were slowly starting to turn off features inside the firewall that allow the hot fixes to launch and run and do their fixing. Now, this time they're putting just regular old web shells on the firewalls. A shell is like CLI access to a computer. A web shell is having remote CLI access to a computer over the internet. And what the threat actors did this round was simply give themselves remote access to as many Sophos firewalls as they could. And this also removed the need for the attackers to use command and control service because they could just log in directly to the firewall whenever they wanted and do whatever they wanted to it, which again is a huge problem. You should not allow attackers to enter your firewall on the internet. This is like the security guard of the building suddenly being remote controlled by the bad guys. In June, I mean, we've seen this attack happen, obviously, it was an Apache module issue, and it was changed as like a local privilege escalation. So it's basically again, any device that had a one facing web portal could be affected, which was a lot of devices. The threat actors set up these web shells where they just needed a username and a password to log in. So the Sophos team tried to crack that password, but they couldn't for some reason. Actually, I think we unsuccessfully tried to crack the hash of the password, but I think eventually we found out that the actual password was Gucci. Now, which was, we can't come across this a while later because it seemed to be a common password for Chinese threat actors to use the word Gucci. Now, I have no idea why. I think at the time it was about 175, 200 devices that were affected. Okay, so one thing you want to do in your investigation is just try to see if there's a commonality of what firewalls are being exploited like this. And that might give you a clue as to what might be next or who's behind this. So they start looking to see where these firewalls exist in the world and for which customers. Yeah, so this one was very much targeted. The first attack was very much a sprain pre type attack. This was specific devices around the Asia Pacific area. I think like Taiwan, Pakistan, places like Philippines were very much targeted, completely different to the first attack. And we kind of found that this one had delivered payloads that had been used in earlier attacks as well. So again, two Linux shell scripts. So we were able to kind of connect it back to a specific actor. We obviously seen these specific files and hashes on the device that we've been tracking. And then eventually we see it being used. Now, what was kind of interesting about the way that they would develop these is that we can see them starting to work now. Obviously, they'd be working through Chinese hours, they work nine to five. And we'd see them with amazing opsec externally, but the opsec they had on the box was atrocious. So they would be, for example, working with crash dumps. And you could set up the Suffice firewall that if you ever had a kernel crash or a crash of any sort, it would email you the crash logs to your email address. Well, these guys would use their personal email addresses. So imagine the actual firewalls registered to a completely anonymous person. And then we have linked email addresses and Gmail addresses inside the firewall to them. Because I guess it was probably quickest and easiest for them to grab that stuff from their personal mail, you know? And it was super easy for us to like, oh, I sent exactly who these people were. They start looking back in time at the telemetry that they collected and they discover that this was another bug that someone had submitted a bug bounty for and gotten payout on. And here it is being used in the wild like just days after the payout happens. So this is starting to get to be a pattern. And the attacks are, you know, widespread. People are, you know, getting noticed about it. So I get called in and have to, you know, decode how the whole attack works and do another flowchart. It's similar to what we did with ASNROC to do the Baja attack. So these two names keep showing up again in their analysis of these attacks, which are G Big Mao and T Stark. These are the people who registered for trial licenses of Sophos firewalls. They were in China and the malware would show up on their device first, which would indicate this is where all this is originating from. Well, you know, what are the things that we can do? So you've got this telemetry tool that you can do basically wide scale thread hunting within the firewalls themselves. And so you can do things like, okay, well, we recovered a piece of malware off of the very first machine that was that belonged to a customer. Let's see where else this malware exists on, you know, the universe of firewalls that are out there. And that was how they found T Stark. So T Stark's firewall was the first one where they they found a copy of not just the same malware, but like the binary identical, like the actual same file on this guy's firewall, and he'd been there for two months. So he'd been experimenting with this piece of malware. While the Azeroth attack was happening, he was basically planning the next one, like in the middle of us dealing with the aftermath, they were already developing the exploit and building out the payload for that attack. And then the other thing that was really interesting was that we found a bunch of other stuff on this T Stark guy's firewall. His firewall had a bunch of malware on it that was designed to run on the Mac and on iOS on on iPads and iPhones. And there is no conceivable reason why there would be like a Mac executable on a inside of a lint of Sophos firewall. It just there's no reason for that. So that was an interesting find. And we didn't really understand what that was being used for, why that was there until much later. Yeah, what was that? So this all happened in June. Starting around August, September, Sophos had started to communicate with other companies in the field, some of whom did forensic analysis, post attack analysis for their customers. And one of these companies is called Vilexity. And Vilexity reached out to Sophos because they had a customer with Sophos firewalls, and they were called in to do the investigation on the Baja attack. And they had also discovered Mac OS and iOS software in their firewall. And Vilexity came to Sophos and said, hey, guys, why is this here? We had no idea. But it turned out so Vilexity had figured out that the threat actors who were dropping these pieces of software on the Sophos firewalls that they were investigating that the owners of those firewalls were operating a charity that supports the Uyghur diaspora. And the Uyghurs are an oppressed minority in China. They believe in Islam, and they practice their faith, but they are strongly discouraged from doing so. And they've been put in prison camps. And the story of the Uyghurs is outside of the scope of this podcast. But the point is that there's really only one organization that actually cares about these two groups of people, about surveillance of these two groups of people, and that is the government of China. During that time, they kept a close eye on the activity of G Big Mao's firewall. And they would see it would just get infected with a new vulnerability, which was like the fourth zero day vulnerability on the Sophos firewalls. Zero day vulnerabilities are ones that Sophos doesn't even know exists. They've had zero days to fix this, basically. And for me, this is the point where I suddenly see the scale of all this. The first attack was scary already, but for zero days on a security device discovered and leveraged by the same threat actor? That is a lot of time and resources put into finding ways to attack Sophos products. This isn't just a group of kids or even some kind of cyber criminal, which is focused on making money. When someone can spend this much resources and time focusing on getting into a very specific thing and spend years doing it, that's typically a nation state behind it. The skills and patience were so impressive here, which meant Sophos had a lot of work ahead of them to fix this. Absolutely. You can imagine the amount of work that this spins up and the way that it kind of balloons out of control as you discover that more and more pieces of the open source code base that you're using are being exploited in different ways. Who has time for all of that? If all you're doing is just fixing these patches, that could be a full-time job. But you're also supposed to be building out a product that has new features and response to customer requests and all other things. Yeah. At a certain point, it just becomes oppressive. The amount of patching that you have to do and the analysis involved in that and fixing the firewall takes just as much QA. It takes time to build things that don't break. These are critical. I don't want to say they're critical infrastructure, but they're protecting critical infrastructure. Yeah. In reality, we're at that point that the Sophos firewall itself needed some hardening. That part is fairly clear. There was an internal mission going on where Danfreesources may pivot to trying to harden certain elements of the operating system and web portal to really help us. With that web portal, I'll tell you, man, the more ports you have open, the more vulnerable you are. If you have a web portal, you're going to have a million different ways to mess with that thing. You are. When I was a firewall admin, I was very adamant about zero exposure to the internet. No SSH port, no web portal, nothing is allowed. The internet should be able to access this firewall. If you want to get to this firewall, you have to come at it from the inside. Exactly. I wish every firewall admin acted like you, Jack. Danfrees, we have people who just put the firewall on the internet and they put the web portal out there. Now, there was some legitimacy around putting your web portal out there because you had the admin portal, which is separate to the web portal. The web portal was where users picked up SSL profiles and things like that. I mean, it is wild to think that someone or some team out there is working feverishly to find vulnerabilities in your product and then to have an implant on their firewall, so you could watch them develop their exploits and the threat actor had no idea there was an implant on there watching what they were doing. The Sophos team did a really good job at hiding it, so it would be really hard for them to notice. It was really well hidden, you know? So, we did start to get some really good telemetry and start to know these guys. Honestly, we were really obsessed with it. It was almost like obsession ops. We would just wait for this telemetry to come in and then we would be all over it. You know, we'd start to dissect what they were doing, how they were working, you know, if they'd add anything in your IP addresses, we'd start to OS into it and we'd start to build a picture of who these people were. There were multiple threat actors that we were watching at any one time. You know, it's kind of funny because like, you know, I often think that, you know, external threat intelligence is very much like almost like astrology, infosec astrology, you know, where people are kind of connecting a technique to that specific threat actor group. Dude, we had names. We could tie them to companies, you know, and then we could tie it to threat actor group attribution. You know, it was a really weird situation we were in. We had visibility that was just unreal. I remember like, at one point we seen one of the actors searching for a flat, so we started to work out that, you know, he was looking for a flat like he was a normal dude, you know, he's going about his everyday life, probably sitting there bored in the lab, you know, having run the same test 10 times and thinking, oh, you know, I'd really need to sort my housing situation, you know, and we're there like building this picture of his life. And honestly, we were obsessed by it. It really became like obsession ops. Yeah, because since Craig had control of the firewall in that guy's lab, he could essentially see all the traffic going through it, which gave him a unique look into this person's life. And with these new insights and closely watching everything that was going on, the Sophos team were able to quickly create fixes for the vulnerabilities to minimize the impact as best as they could. So with all these vulnerabilities fixed, round two of this battle came to a close. Sophos had a lot of bruises, but I think they won the battle. Yeah, that's it for round two. But you know, there's several parts that is kind of useful. Number one, round two really validated our use of telemetry. It was the first time that we'd really used our implant. The other aspect to this as well is we become really adept at finding these threat actor devices. So we started to work out that obviously we'd identified as actor called G Big Mai, but all in all, we were dealing with about seven different actors that we could see. You know, some of them were doing the same thing, but in different locations. So we kind of worked out quite quickly that they're working for individual Chinese defense contractors, because when you think about like a government department, they're not going to duplicate the same work, because effectively it's all the same people working. We're a defense contractor. Everything is valuable to them. If they're the first to an exploit, that's super valuable. So what we found then is we found these multiple companies. And one of the simplest ways we actually found it firmly enough, and this sounds so basic, is that we would look at devices that would be continually going up and down firmware versions. And these threat actor devices would constantly like put the latest firmware on, roll it back, the firmware, roll it back. And they'd do this like, I don't know, maybe five or six times a day, whereas like normal firewall operation, it's like, it's new firmware and it's left. And then in a month, it gets new firmware and then it's left. So these things just stood out like a sore thumb. So it suddenly became really easy to find these threat actors, you know, the multilaymetry we had, the easier it got, you know, and we started to really build a wide assortment of threat actors in China, the locations they had. And of course, you know, they're honestly, piss poor, upset that they had it on the device itself, just allowed us to start building up really quite wide profiles on them. And over this period, we would start to like really get an idea of how they were targeting things. And it was very much like seeing them do something, build an attack, know that this was coming, and having to wait for it to be deployed, you know. I mean, if we went and pre patched the devices continually, they would have noticed, they would know that the game was up, you know, so we kind of waited to understand what was happening. We'd wait for the first indication of deployment of whatever they were doing. I kind of run and patch it almost immediately, you know. So we had to like probably one of the craziest like forward going threat intelligence. Well, that's crazy. Threat intelligence is simply the understanding of what threats you will face or have faced. This is why I think it's really great having records of all attacks that your company has ever seen, because it's incredibly valuable at helping you defend against future attacks. But in Sophos's case, they knew exactly what threat was coming next, and we're 100% prepared for it the moment it would be seen. That's really slick. That's threat intelligence that's on a whole new level. But even after two huge rounds of attacks against Sophos firewalls and discovering four zero day exploits on them, the war wasn't over. The threat actors continued to develop more and more exploits for Sophos firewalls. Yeah, over time, the threat actors were increasingly they were targeting specific organizations or specific groups. They, you know, they identified who all of the customers were in those early attacks because they smacked all of the firewalls at once and grabbed some data. Oh my gosh, I didn't even think of that. So if we back up and look at the way all this has progressed, first they hacked into cyber roam only to get the source code for Sophos firewalls, which gave them inside information to basically bug hunt. Then they infected 80,000 Sophos firewalls with malware, taking all their configurations and information about the firewall itself, and then combed through that looking to see what targets are interesting to them. And now they're being super precise about who they're hitting. This campaign keeps evolving. From 2021 onwards, it really pivoted towards a very sharp focus to discriminate attacks, you know, really highly targeted hands on keyboard attacks against like specific entities. So for example, government agencies, critical infrastructure, research and development organizations, healthcare providers, everything from kind of retail to military, even finance, you know, and again, all focused in the APAC region. Geez, what a nightmare. I cannot imagine all these places getting hacked into through my security device. All these companies bought Sophos firewalls to protect themselves. And it was that very firewall which allowed Chinese hackers in. At some point, did you reach out to some of these victims to say, hey, I think Chinese government is attacking you. So that's one thing we did really extensively. Well, two things. One is we'd reach out to the customer. And again, it was this was part of our philosophy of making sure that, you know, there was no further damage or no hurt. And as well, we would reach out to either the localised law enforcement, or if we had great ties to the local, you know, cert or NCSE or whoever the local cyber authority was. Now, in the UK, we had some amazing connections in the NCSE. And they would help us facilitate these these connections out to all sorts of certs and bodies. And, you know, they were incredibly supportive of us. Yeah, I mean, what's that call like to call up a government, a foreign government? I know you're just talking to the CIS admin there, but still like, hey, you guys are getting hacked. It's pretty strange, you know, and not only that, when we sit there, you know, obviously through translation very often, explaining what we've seen and what happened and who we attribute it to. It's a very strange experience, you know, also not as strange as calling up another firewall provider, telling them that their box is being tooled over by a Chinese threat actor. And they might ask us, well, how do you know? And not really being able to tell them how we know and why we know, but we definitively know. That's a bit of a weird experience also. At some point, CyberROM gets hacked into again. Well, it turns out that the CyberROM code is the predecessor to the XG Firewall code. So, CyberROM was the company that Surface bought and their product became the XG Firewall. So, when back in 2018, we're talking about how the threat actors had stolen the source code, you know, they were using some of that still to find additional vulnerabilities. And they found a vulnerability at this point. CyberROM and the XG Firewall were in parallel operating, but CyberROM was about to be phased out. It was about to be end of life. And the threat actors found a vulnerability that allowed them to create an admin level account on the box with just a SQL injection query that was pre-authentication. So, they could just hit the SQL server that was running on the firewall from the outside and run a command that was able to get it to add a user with admin access. And then they could log in on any CyberROM firewall or, you know, that they wanted to with that credential. And there was no easy fix for it. And because the product was close to end of life, Sofus just decided to rush it to end of life and get everybody who was running a CyberROM firewall to upgrade to the latest XG and put that one to bed. Because it was the point where if we had to start, you know, tracking attack against CyberROM and XG Firewalls, that would have taken the entire, like all of the entire team's resources all the time. At a certain point, it just made better sense to end of life the product early. It does make me think, though, if they were trying to get into CyberROM to get source code, they were probably trying to get into Sofus' network as well, trying to get source code. I mean, yeah, that's an interesting thing to hypothesize about, but I have no idea about that. You should say, no, the Sofus firewalls are so good that they're blocked those guys, don't worry. Well, I don't work there anymore, so I don't have to defend them. But like, I do think that, you know, Sofus did have, it did seem to have better security practices than CyberROM did. So after the threat actors found an exploit in the CyberROM product, and we're actively exploiting that, Sofus just decided to kill that product altogether. Now, Andrew tells us, it's because it was already on its way of being killed, but I don't want to diminish the idea that a cyber attack can have the effect of killing an entire product line. That's a pretty big deal if you ask me. Anyway, somehow the French authorities investigated the CyberROM intrusion and publicly announced that the attack was carried out by APT 31, which is a Chinese state-sponsored hacker group. So yeah, if it wasn't clear by now, it should be. The Chinese government and military are the ones who are behind this attack campaign known as Pacific Rim, which has been going on for years at this point. We started to see these actors working on more and more attack types, especially T-STARK. You know, we found him working on like a root kit at the time. It was called libxselinux.so, and we managed to capture it from his device. And it was like a customized user land root kit. So that was actually a real win for us. I remember feeling like, okay, yeah, we've really got a great view of what's happening on these devices here now. Now, we managed to grab these devices from the T-STARK device, but like a week later then, he's got a completely new injection there, like a new vulnerability in WebAssembly. And it's kind of unknown to us. And effectively what he was doing was he was in this WebAssembly vulnerability. He was injecting like an iFrame into the proxies things move through there. And we found that this thing, like I think it was about two weeks or so after we found it, had actually been deployed in Tibet. Now, this was, we found this on this device in Tibet for an organization that was basically providing support to Tibetan exiles. So, he basically moved from 10 days to deployment. Yeah. And I can't remember which, I don't know who said it, I feel like a president said something like, a business isn't going to be able to take fire from like a scud missile or rocket launch. And so we can't expect them to be able to take on attacks, cyber attacks from nation state actors as well. And at this point, you're starting to feel confident that this is a nation state of threat attack on your company. And at this point, there's five or six different zero days that they've discovered on you. I mean, that's got to be some of the most heart wrenching, gut-thinking feelings to say, okay, I don't know how we're going to ever stop this attack. This might go on forever. Like what is your response to this mentally? Honestly, I remember at that point just feeling exhausted. Like this has been months and months and months of us fighting these, what is effectively the PLA for all intents and purposes. And the truth is, who else helps these organizations? That organization Tibet had nowhere near enough resource to be able to deal with this. They were lucky that Vlexity had been doing some pro bono work there. We'd reached out and helped them as well. But in reality, like if it hadn't been for our graces, they would have been stuck. And it really comes down to this weird intersection on the internet of lawlessness. Like, there's just so many areas that just are not covered with anyone. I'm in the UK, you know, we have the the serious organized crimes unit and we have the NCSE who protects us in the US of the FBI and the NSA and you know, many countries just don't have anything. And this is the part that actually surprised me the most. Like who do these people call to? You know, we felt like heroes, but in reality, like who are we to deal with this? You know, we're kind of woefully underqualified to deal with a threat actor at that level. You know, I mean, this film like almost a military operation. Yeah, suddenly your war room doesn't feel so up to snuff, right? Like you're like, man, we're nowhere compared to their war room. Exactly. Like, you know, and I think that's what what surprised me is like we were really on the age of like, what is effectively cyber warfare. And it started to really tip into that feeling with this, but it was it was it was certainly interesting. And you know, as a whole, you know, seeing that that payload being delivered there and understanding the purpose, why they delivered the payload, having seen it being built on a device in Chengdu, like like 10, 10 days, two weeks previously, it was just one of those crazy moments of like, oh my God, like we really see this soup to nuts. Now, when Sophos would issue a hot fix or patch their firewalls, they would tell their customer what the update was for, like bug fixes for several security vulnerabilities to learn more, visit our knowledge base. But Sophos discovered that the threat actors T Stark and G Big Mal were also accessing Sophos' site logging in and reading the knowledge base articles to to see what got patched. And they were reading exactly what Sophos had fixed and then developed exploits to get around those patches. So the Sophos team had to get increasingly vague with what got fixed to avoid giving the enemy information. And I suppose that's a form of counterintelligence being very careful what information you give your enemy. But it kind of contradicts what I said earlier about, don't be evil, right? If you're not being transparent, and you're hiding what it is you're doing, then you might be evil. But in this case, they had to hide it because they didn't want their enemies to know this. This is so difficult to navigate. And at that point, the threat actors understood how the hot fixes were working and what telemetry Sophos was collecting off these firewalls. And so they developed an exploit to disable the hot fixes and to stop the telemetry from going back to Sophos to detect which devices were infected. And they took extra steps to hide their presence. The threat actors are developing exploits and they're developing malware, and they're coming up with new techniques for breaking into firewalls. And the implant is revealing all of that stuff to the security team. So behind the scenes, the security team is rushing into production hot fixes and patches for the operating system that fix these vulnerabilities before the threat actor even knows. And because they have this ability to send the hot fixes, you know, not necessarily to every machine, but maybe to every firewall, except the ones that the threat actors are using, they can fix the whole universe of firewalls except for the ones that the threat actor is using. And I think after you've tried to deploy your second or third or fourth attack, and it just doesn't work, and you're scratching your head because it works in the lab, look, I can show you it. I demonstrated it to these guys in the higher ups at the company or whoever's telling me to do this attack, that it works. And but, you know, in the wild, it suddenly doesn't work. I think after two or three times of shooting blanks, you're going to start to wonder, like, hey, is there something else going on? And they started to look at, you know, well, what is this information, you know, what's the firewall collecting about us? And are we inadvertently revealing as bad guys to the good guys what we're about to do? So yeah, so they start looking at telemetry, they start looking at log collection and process lists, and they're trying to build out the capabilities to be stealthy. It's maybe distracting them from building custom malware, or developing new exploits, but they have to spend a little bit of energy on, you know, puts them on the back foot. And for the first time, I think this is like one of the cases where you can say, yeah, there was some, there were some challenges and we had some bad days early on. But we're forcing the threat actors to have to make moves to counter us. And actually, that feels pretty good. This story just goes on and on. There was another root kit found. There's a root kit number four, libsofos.so. Yeah. So libsofos was the very custom root kit it was able to, and again, yeah, deleting logs, you know, hiding its presence on the machine, trying to do everything as stealthy as possible, low volume of outbound communication, and persistence. They're experimenting with everything. And they've been, seems to me that the threat actors have been given carte blanche to just try and experiment with all sorts of different things. So during this period from late 2020 to the end of 2022, we're seeing a huge variety of different payloads of exploits. It's bad. It's bad out there. Like it's kind of like the Wild West and you never know where something's going to come from. At some point, they saw the threat actor was trying to develop a Ufie boot kit. This is malware, which infects the firewall at the BIOS before the operating system even has a chance to boot up. You know, if you can get a boot kit into the UFE BIOS of a device, there's nothing that you can do in the, you know, user land of the operating system to remove it because it's running at a level beyond which the operating system cannot reach. Yeah, a boot kit like this would remain on the system even if you deleted everything and reinstalled the entire operating system again, since it lives in the part of the computer which loads before the operating system loads. This was actually kind of scary to find this experimentation happening on one of the threat actor devices. They were really trying to figure out if they could get this boot kit to run on a firewall and they ended up breaking the firewall. It didn't work. And after we discovered what they were trying to do, the surface engineers figured out how to, you know, change the firmware on the firewall at that low level so that it wasn't able to run. And they they implemented that in an update. But that's that's the scariest thing on all of this. I think the Ufie boot kit malware on a firewall is the holy grail. It's where you've got malware on a firewall, it can't be removed. The firewall has to be thrown in the trash. It's scary. And, you know, we've already seen that there's been other firewall vendors where their recommendation was unplug this box and put it in the trash because it is not safe to use anymore. So it makes me wonder because we never get the details from other reports about what happened, whether this was successful with other vendors and whether they were testing this with us and it just failed because we were watching them and, you know, stuck a wrench in the works just at the right moment and made it too much of a pain in the butt for them to keep trying. And they just moved on to the next guy. This was very much the kind of end of my involvement in this because I actually left Sophos at this time and went to work for the company I'm currently working for now, you know. But I mean, from that point, I kept in really close contact with my colleagues who were there and we were sharing Intel as things progressed, you know. But I mean, there were kind of two further published engagements, basically one in May of 2023 and then one in March of 2024. And then it kind of came to a head, you know. Which actually kind of was kind of disappointing in a sense for me because I think very often that this stuff hasn't stopped. I mean, the devices are significantly more secure now. Sophos put like an inordinate amount of time, effort and money into hardening the devices. I would actually hazard to say that they're probably the one for a whole company that actually is secure now. In all seriousness though, I think it's one of those aspects of you learn from your mistakes. Sophos being incredibly open and clear about this. Kudos to them. Being open about it and publishing your mistakes and also publishing what we did and how we work through this is super unique. And you don't see any other farewell company talking about this. And we know for sure that this stuff was happening across a multitude of other devices. The truth is it's probably happening right now to some other farewell providers. They just don't know. They don't collect telemetry. They don't have the hot fix mechanism that allows them to forward defend you. And yeah, it's an issue. It's still an issue. One of the actors involved in all of this, we talked about him earlier. His name is, use the handle G Big Mail that we eventually figured out his real name. You have the pictures of him. And the guy appears on the FBI's 10 most wanted list today. His name is Guan Tianfeng. And he was the researcher at this company called Sichuan Secret. SILENCE Technology Company. Yeah, Sichuan SILENCE Technology Company Limited. Right? So this guy made it his career to break into firewalls and find vulnerabilities and then pass them off to people who would take advantage of them. And for all of his efforts, he's in his early 30s. He has a $10 million reward for justice bounty on his head. And he can never travel outside of a non extradition country in the world ever again without fearing for arrest and extradition to the United States. And it just makes me wonder if it really was worth it to him. Because in many respects, seems like a nice guy. At one point, he had his heart in the right place. So G Big Mail in his early days of working in this field, used to post on message boards trying to get firewall companies to fix their stuff. I can't imagine what happened to turn him to make him break bad in this way. It actually says in the FBI's cyber's most wanted poster that this guy hacked into 80,000 Sophos firewalls. And just because I'm curious, I took a look at a few dozen other FBI cyber's most wanted posters. And strangely, I don't see any other person listed for hacking into other security vendors. So again, hats off for Sophos for taking this stratactor so seriously and getting them on FBI's cyber's most wanted list. The story as we published it, finishes in 2024, not because the attack stopped, but because at a certain point, you just got to put a pin in it and say, we're going to stop here because if we keep talking about this, it never ends because the attacks have continued ever since. Nothing has stopped. And if there's anything to be said about this is that the cadence has picked up. It has broadened its scope. We're seeing every security company in the industry in various ways targeted in very similar ways. A big thank you to Andrew Brandt and Craig Jones for coming on the show and telling us this incredible story of how Sophos got targeted by a Chinese state sponsored threat actor. This story is dang scary to me since the Plank field is so unfair. A single company versus a superpower like China. And not only that, a superpower that's lawless and feels absolutely no shame from breaking the law. You think that after their main guy was arrested by the FBI, they pull back and maybe apologize, but no, they increase their efforts and are hitting harder than ever against so many security vendors too. Hey, I really want you to become a premium subscriber to Darknet Diaries. All I'm asking is for you to buy me a cup of coffee once a month. This is my full-time job. This is how I make a living. If I suddenly stopped making this show, would you be sad? If so, then you probably find it valuable. And I hope you support things that you find valuable. If you become a premium subscriber, you get ad-free episodes, bonus episodes. And coming up later this year is a new podcast I'll be releasing, and you'll be the first to listen to it because it'll only be available to premium subscribers for a while. So please visit plus.darknetdiaries.com to support the show. Thanks. This episode was created by me, the lead firewall offender, Jack Reissider. Our editor is the port knocker Tristan Ledger, mixing Dunbar proximity sound and our intro music is by the mysterious breakmaster cylinder. I named my firewall, Linebacker, because it's great at blocking and tackling. This is Darknet Diaries.