Contact Info

Atlas Cloud LLC 600 Cleveland Street Suite 348 Clearwater, FL 33755 USA

support@dedirock.com

Client Area
Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3

The U.S. Federal Bureau of Investigation (FBI) is reaching out to the public for assistance regarding an investigation of security breaches involving edge devices and computer networks belonging to various companies and government organizations.

“An Advanced Persistent Threat group is alleged to have developed and used malware (CVE-2020-12271) in a wide-ranging series of indiscriminate cyber intrusions aimed at exfiltrating sensitive data from firewalls on a global scale,” the agency stated.

“The FBI is looking for information on the identities of the persons responsible for these cyber breaches.”

This situation unfolds following a series of reports established by the cybersecurity firm Sophos, which documented campaigns from 2018 to 2023 that exploited its edge infrastructure devices to deploy tailored malware or to transform them into proxies to avoid detection.

These malicious activities, labeled as Pacific Rim, were orchestrated to carry out surveillance, sabotage, and cyber espionage and have been linked to several Chinese state-sponsored groups, including APT31, APT41, and Volt Typhoon. The earliest of these attacks dates back to late 2018, targeting Sophos’ subsidiary Cyberoam in India.

“The attackers have chosen to focus their efforts on a range of entities, from small businesses to large essential infrastructure and government facilities, particularly in South and Southeast Asia, including entities such as nuclear energy suppliers, an airport in a national capital, a military hospital, state security organizations, and central government ministries,” Sophos noted.

Some of the extensive attacks have been recognized for utilizing numerous then-zero-day vulnerabilities in Sophos firewalls, including CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236 – to compromise devices and transmit payloads both to the device firmware and local networks within organizations.

“From 2021 onwards, the attackers shifted their strategy from broad random assaults to more precise, targeted attacks against specific organizations: government bodies, essential infrastructure entities, research and development firms, healthcare providers, retail operations, financial institutions, military entities, and public-sector agencies primarily in the Asia-Pacific region,” it stated.

Starting in mid-2022, the attackers reportedly concentrated their efforts on obtaining deeper access to specific organizations, evading detection, and gathering further intelligence by executing commands manually and deploying malware such as Asnarök, Gh0st RAT, and Pygmy Goat, a sophisticated backdoor that enables ongoing remote access to Sophos XG Firewalls and potentially other Linux systems.

“Although it does not incorporate any groundbreaking techniques, Pygmy Goat is quite advanced regarding how it allows the perpetrator to engage with it on demand while camouflaging itself within regular network traffic,” the U.K. National Cyber Security Centre (NCSC) remarked.

“The code itself is well-structured and concise, facilitating future extensions, with error handling throughout, indicating it was authored by skilled developers.”

This backdoor, identified as a novel rootkit taking the form of a shared object (“libsophos.so”), was discovered following the exploitation of CVE-2022-1040. Instances of the rootkit were recorded between March and April 2022 on a government device and a technology partner, with another occurrence in May 2022 at a military hospital located in Asia.

Sophos attributes this activity to a Chinese threat actor dubbed Tstark, which has connections to the University of Electronic Science and Technology of China (UESTC) in Chengdu.

This backdoor has the “capability to listen for and react to specifically crafted ICMP packets that, when received by an infected device, could open a SOCKS proxy or reverse shell connecting back to an IP address specified by the attacker.”

Sophos reported countering these campaigns at an early stage by deploying a custom kernel implant on devices owned by Chinese threat actors to conduct malicious exploit research, including devices owned by Sichuan Silence Information Technology’s Double Helix Research Institute, thus gaining insight into a previously unseen and stealthy remote code execution exploit identified in July 2020.

An ensuing analysis in August 2020 revealed a less severe post-authentication remote code execution vulnerability in an operating system component, the company added.

Furthermore, the company, which is owned by Thoma Bravo, reported a trend of receiving “highly useful yet suspicious” bug bounty submissions at least twice (CVE-2020-12271 and CVE-2022-1040) from individuals they suspect to have connections to Chengdu-based research institutions before these vulnerabilities were weaponized.

The implications of these findings are considerable, notably revealing ongoing vulnerability research and development activities in the Sichuan region, which are subsequently transmitted to various Chinese state-supported frontline groups exhibiting differing objectives, capabilities, and post-exploitation strategies.

“With Pacific Rim, we witnessed […] a systematic development of zero-day exploits linked to educational institutions in Sichuan, China,” Chester Wisniewski commented. “These exploits seem to have been shared with state-sponsored attackers, which aligns with a national strategy that requires such sharing as mandated by their vulnerability-disclosure laws.”

The intensified focus on edge network devices aligns with a threat assessment released by the Canadian Centre for Cyber Security (Cyber Centre), indicating at least 20 Canadian government networks have been infiltrated by Chinese state-sponsored hacking groups over the past four years to further its strategic, economic, and diplomatic ambitions.

Moreover, it highlighted accusations against Chinese threat actors for targeting its private sector to obtain confidential and proprietary information, while also backing “transnational repression” campaigns that aim to persecute Uyghurs, Tibetans, pro-democracy activists, and supporters of Taiwanese independence.

Chinese cyber threat actors “have breached and maintained access to numerous government networks in the past five years, harvesting communications and additional valuable data,” it stated. “The threat actors have utilized email messages containing tracking images sent to recipients to conduct network reconnaissance.”

Found this article interesting? Follow us on Twitter and LinkedIn to discover more exclusive content we post.


Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.

Share this Post
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x