The US Federal Bureau of Investigation (FBI) is asking for the public’s help in its investigation into the hacking of edge devices and computer networks belonging to companies and government organizations.
“The Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed to steal sensitive data from firewalls around the world,” the agency said. said.
“The FBI is seeking information on the individuals responsible for these cyber intrusions.”
Development occurs after a a series of reports published by cybersecurity vendor Sophos, which describes a number of campaigns from 2018 to 2023 that used edge infrastructure devices to deploy custom malware or repurpose them as proxies to avoid detection.
Malicious activity codenamed Pacific Rim and designed for surveillance, sabotage and cyberespionage, has been attributed to numerous Chinese state-sponsored groups, including APT31, APT41and Volt Typhoon. The earliest attack dates back to late 2018, when a cyberattack targeted Sophos’ Indian subsidiary Cyberoam.
“The adversaries have targeted both small and large critical infrastructure and government facilities, primarily in South and Southeast Asia, including nuclear energy suppliers, the national capital’s airport, a military hospital, state security apparatus and central government ministries,” Sophos said.
Some of the following mass attacks have been identified as exploiting multiple zero-day vulnerabilities in Sophos firewalls – CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040and CVE-2022-3236 – compromise devices and deliver payloads to both device firmware and devices located on the organization’s local network.
“Beginning in 2021, adversaries appear to have shifted their focus from widespread indiscriminate attacks to narrowly focused, hands-on-keyboard attacks against specific entities: government agencies, critical infrastructure, research organizations, healthcare providers, retail trade, finance, military and public sector organizations, primarily in the Asia-Pacific region,” the report says.
Since mid-2022, attackers are said to have focused their efforts on gaining deeper access to specific organizations, evading detection, and gathering additional information by manually executing commands and deploying malware such as Aspen smoke, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor cable to provide persistent remote access to the Sophos XG Firewall and likely other Linux devices.
“Although it does not contain any new techniques, Pygmy Goat is quite sophisticated in the way it allows an actor to interact with it on demand while blending in with normal network traffic,” the UK’s National Cyber Security Center (NCSC) said. said.
“The code itself is clean, with short, well-structured functions that facilitate future extensibility, and is error-checked throughout, indicating that it was written by a competent developer or developers.”
The backdoor, a new rootkit that takes the form of a shared object (“libsophos.so”), was discovered after exploiting CVE-2022-1040. Use of the rootkit was observed between March and April 2022 on a government device and technology partner, and again in May 2022 on a machine at a military hospital in Asia.
It is believed to be the handiwork of a Chinese threat actor, tracked internally by Sophos as Tstark, which has links to the University of Electronic Science and Technology of China (UESTC) in Chengdu.
It comes with “the ability to listen for and respond to specially crafted ICMP packets that, when received by an infected device, open a SOCKS proxy or shell reverse connection to an IP address of the attacker’s choice.”
Sophos said it countered early-stage companies by deploying its own kernel implant on devices owned by Chinese threat actors to conduct research on malicious exploits, including machines owned by the Sichuan Silence Information Technology Double Helix Research Institute, thereby gaining visibility into “a previously unknown and hidden remote code execution exploit” in July 2020.
Additional analysis in August 2020 led to the discovery of a lower severity vulnerability that creates remote code execution after authentication in an operating system component, the company added.
In addition, the Thoma Bravo-owned company said it observed a pattern of receiving “simultaneously very useful but suspicious” bug bounty reports at least twice (CVE-2020-12271 and CVE-2022-1040) from people who , which she suspects are links to research facilities in Chengdu before they were used maliciously.
The findings are important, not least because they show that active vulnerability research and development activities are conducted in the Sichuan region and then transferred by various state-sponsored Chinese fronts to groups with different goals, capabilities, and post-exploitation methods.
“With Pacific Rim, we observed (…) a pipeline of zero-day exploits linked to educational institutions in Sichuan Province, China,” said Chester Wisniewski. “These exploits appear to have been shared by state-sponsored attackers, which makes sense for a nation-state that mandates such distribution through its vulnerability disclosure laws.”
The increased targeting of the country’s network devices also coincides with a threat assessment by the Canadian Cyber Security Center (Cyber Centre), which found that at least 20 Canadian government networks have been hacked by Chinese state hacking groups in the past four years to advance their strategic, economic and diplomatic interests. .
He also accused Chinese threat actors of targeting his private sector to gain a competitive advantage by gathering sensitive and classified information, along with supporting targeted “transnational repression” missions. Uighurs, Tibetansdemocratic activists and supporters Taiwan independence.
Chinese cyber threat actors have “compromised and maintained access to multiple government networks over the past five years, gathering messages and other valuable information,” it said. said. “Threat entities sent email messages containing tracking images to the recipients to conduct network reconnaissance.”
