Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices (wired.com) 17
British cybersecurity firm Sophos revealed this week that it waged a five-year battle against Chinese hackers who repeatedly targeted its firewall products to breach organizations worldwide, including nuclear facilities, military sites and critical infrastructure. The company told Wired that it traced the attacks to researchers in Chengdu, China, linked to Sichuan Silence Information Technology and the University of Electronic Science and Technology.
Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.
"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."
Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.
"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."
Re:Yeah, we believe you (Score:5)
I do not think the CIA could make an ongoing attack believably look like it's from China if China cracked down on domestic platforms this hypothetical CIA was using.
IP Spoofing only gets you so far in terms of faking an attack's origin.
That is to say: if it was the CIA, China would still arguably be complicit by failing to act on abusive services within the country.
Our media loves kicking up a storm of, let's call them "dubious", claims about China any chance they can get but the evidence outlined in this article is hard to fake.
Re: (Score:2)
unsupported "end-of-life" devices? (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Because who doesn't want their firewall to suddenly go down in the middle of the night because it's reached EOL. What a fantastic concept.
Re: (Score:1)
Re: (Score:2)
You're running a nuclear fuel factory or something and you have the choice between an unpatchable firewall with known vulnerabilities or no Internet connection. Hm....
Of course, there's a third option. Don't buy expensive "appliances" from companies that don't support them.
State of neglect (Score:2)
Kind of ironic that Sophos talks about devices in a state of neglect, when their firewall product is still running on a 4.14 linux kernel.
Re: (Score:2)
not trying to defend sophos, but if it is custom os with all mitigations in place...
Re: (Score:3)
Doesn't matter how old the software is, matters how maintained it is. It they properly maintain it then it's fine. If not, then it's not fine.
Interesting quote (Score:4, Insightful)
Doesn't the company's ability to do that represent a security hole? It means that their devices must include the capability for remote access that is invisible to the end user.
Re: (Score:2)
"Updates". If that capability surprises you, you must have found a very nice rock to live under.
Re:Interesting quote (Score:5, Informative)