Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices (wired.com) 33
British cybersecurity firm Sophos revealed this week that it waged a five-year battle against Chinese hackers who repeatedly targeted its firewall products to breach organizations worldwide, including nuclear facilities, military sites and critical infrastructure. The company told Wired that it traced the attacks to researchers in Chengdu, China, linked to Sichuan Silence Information Technology and the University of Electronic Science and Technology.
Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.
"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."
Sophos planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds: Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.
"The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."
Yeah, we believe you (Score:1, Troll)
Like the CIA can't make it look like it's from China...
Re:Yeah, we believe you (Score:5, Insightful)
I do not think the CIA could make an ongoing attack believably look like it's from China if China cracked down on domestic platforms this hypothetical CIA was using.
IP Spoofing only gets you so far in terms of faking an attack's origin.
That is to say: if it was the CIA, China would still arguably be complicit by failing to act on abusive services within the country.
Our media loves kicking up a storm of, let's call them "dubious", claims about China any chance they can get but the evidence outlined in this article is hard to fake.
Re: (Score:3, Insightful)
Begs the question (Score:1)
Where's the push to build a much simpler scaled down embedded system OS and firmware build for security?
The issue may be that these devices are running a boot firmware and OS that provides hundreds (thousands?) of unused features/system APIs which are all complexity and security hole possibilities.
This would be a drastically smaller OS with a lot less API calls than Linux has today.
unsupported "end-of-life" devices? (Score:1, Insightful)
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Planned obsolescence for your washing machine is dumb. Planned obsolescence for an enterprise network edge device is not dumb. Don't be afraid of a little nuance.
And deliberate obsolescence is absolutely brilliant for profit margin!
Re: (Score:2)
It is also dumb, because not all enterprise devices are used in enterprises. Many people run their home networks off used enterprise level gear (it's often just as cheap as the latest home consumer crap, but way more reliable). Not everyone wants equipment that needs rebooting every coupe of weeks just to get the packets flowing again. (I recently switched from an old Cisco switch to a newer one. The o
Re: (Score:2)
Re: (Score:2)
Because who doesn't want their firewall to suddenly go down in the middle of the night because it's reached EOL. What a fantastic concept.
Re: (Score:3, Interesting)
Re: (Score:2)
You're running a nuclear fuel factory or something and you have the choice between an unpatchable firewall with known vulnerabilities or no Internet connection. Hm....
Of course, there's a third option. Don't buy expensive "appliances" from companies that don't support them.
Re: (Score:2)
I'd say it depends on what is agreed on beforehand. Both states suck, either a firewall running unpatched, or a firewall rendered inoperative because of that.
The solution, after the firewall goes EOL, open source everything. This way, at least either the client, or someone can maintain the older devices so they have some semblance of use.
However, in some cases security is critical over functionality, but, IMHO, part of the agreement might be having the service and update plan also covers replacement equip
State of neglect (Score:3)
Kind of ironic that Sophos talks about devices in a state of neglect, when their firewall product is still running on a 4.14 linux kernel.
Re: (Score:2)
not trying to defend sophos, but if it is custom os with all mitigations in place...
Re: (Score:3)
Doesn't matter how old the software is, matters how maintained it is. It they properly maintain it then it's fine. If not, then it's not fine.
Re: (Score:2)
You do realize that the 4.14 kernel has been officially EOL since January...
Interesting quote (Score:4, Insightful)
Doesn't the company's ability to do that represent a security hole? It means that their devices must include the capability for remote access that is invisible to the end user.
Re: (Score:2)
"Updates". If that capability surprises you, you must have found a very nice rock to live under.
Re: (Score:2)
It seems like a good motivation for using only open-source firmware that is compiled locally.
Re:Interesting quote (Score:5, Informative)
The Fiendish Plot of Dr. Fu Manchu (Score:2)
Why do we need one?
“Inside the counter-offensive tactics, techniques, and procedures used to neutralize China-based threats”
--
Insert anti-commie cyber BS
Certain? (Score:2)
why don't they just hack the NSA (Score:2)
Translation (Score:2)
Customers need to get rid of our badly-made products and buy our new products, that were made by the same half-arsed quality-assurance team.
Mandatory security updates after EOL (Score:2)
That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices
Or perhaps legislator should pass a law forcing vendors to sell security updates after EOL. Note that I wrote "sell": this is a very moderate proposal.
Hmmm, that's one shitty take on it (Score:2)