US accuses Chinese hacker of exploiting zero-day in 81,000 Sophos firewalls

December 11, 2024Ravie LakshmananVulnerability/data breach

The US government on Tuesday revealed charges against a Chinese national for allegedly hacking thousands of Sophos firewalls around the world in 2020.

Guan Tianfeng (aka gbigmao and gxiaomao), who allegedly worked at Sichuan Silence Information Technology Company, Limited, was charged with conspiracy to commit computer fraud and conspiracy to commit wire fraud. Guan was accused of developing and testing a zero-day security vulnerability used to carry out attacks against Sophos firewalls.

“Guan Tianfeng is wanted for his alleged role in plotting to gain unauthorized access to and damage Sophos firewalls and to harvest and exfiltrate data from both the firewalls themselves and the computers behind them. these firewalls,” the US Federal Bureau of Investigation (FBI) said. said. “The exploit was used to infiltrate approximately 81,000 firewalls.”

The zero-day vulnerability in question is CVE-2020-12271 (CVSS score: 9.8), a severe SQL injection flaw that could be exploited by a malicious actor to achieve remote code execution on security guards. sensitive Sophos fire.

In a series of reports published in late October 2024 under the name Pacific Rim, Sophos revealed that it received a “very useful and suspicious” bug bounty report regarding the flaw in April 2020 from researchers associated with the Double Helix Research Institute of Sichuan Silence. a day after which it was exploited in real-world attacks to steal sensitive data using the Asnark Trojan, including usernames and passwords.

This happened a second time in March 2022 when the company received another report from an anonymous researcher based in China detailing two separate flaws: CVE-2022-1040 (CVSS score: 9.8), a critical flaw authentication bypass in Sophos firewalls that allows a remote attacker to execute arbitrary code, and CVE-2022-1292 (CVSS score: 9.8), an injection bug of commands in OpenSSL. The wild exploitation of CVE-2022-1040 has been given the nickname Personal Panda.

“Guan and his co-conspirators designed this malware to steal information from firewalls,” the US Department of Justice (DoJ) said. “To further conceal their activity, Guan and his co-conspirators registered and used domains designed to appear as if they were controlled by Sophos, such as sophosfirewallupdate.[.]com.”

The threat actors then modified their malware as Sophos began adopting countermeasures, deploying a variant of Ragnarok ransomware in case victims attempted to remove artifacts from infected Windows systems. Those efforts failed, the DoJ said.

Along with the indictment, the US Treasury Department's Office of Foreign Assets Control (OFAC) imposed sanctions against Sichuan Silence and Guan, saying many of the victims were US critical infrastructure companies.

Sichuan Silence has been assessed as a Chengdu-based government cybersecurity contractor that offers its services to Chinese intelligence agencies, equipping them with capabilities to exploit the network, monitor emails, brute force password hacks and remove passwords. 'public opinion. It is also expected to provide customers with equipment designed to probe and exploit target network routers.

As of December 2021, Meta said it removed 524 Facebook accounts, 20 pages, four groups, and 86 Instagram accounts associated with Sichuan Silence that targeted English-speaking and Chinese audiences with misinformation related to COVID-19.

“More than 23,000 of the compromised firewalls were located in the United States. Of these firewalls, 36 protected the systems of U.S. critical infrastructure companies,” the Treasury said. “If any of these victims had failed to patch their systems to mitigate the exploit, or if cybersecurity measures had not promptly identified and remediated the intrusion, the potential impact of the attack Ragnarok ransomware could have resulted in serious injury or loss of life. “

Separately, the State Department announced rewards of up to $10 million for information on Sichuan Silence, Guan or other individuals who may participate in cyberattacks against U.S. critical infrastructure entities at the direction of a foreign government.

“The scale and persistence of Chinese nation-state adversaries pose a significant threat to critical infrastructure, as well as unsuspecting everyday businesses,” said Ross McKerchar, chief information security officer at Sophos, in a statement shared with The Hacker News.

“Their unwavering resolve redefines what it means to be an advanced persistent threat; Disrupting this change requires individual and collective action across the industry, including with law enforcement. We can't expect these groups to slow down if we don't put the time and effort into surpassing them in innovation, and that includes early transparency about vulnerabilities and a commitment to developing stronger software. .

Did you find this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we publish.

What Are The Main Benefits Of Comparing Car Insurance Quotes Online

LOS ANGELES, CA / ACCESSWIRE / June 24, 2020, / Compare-autoinsurance.Org has launched a new blog post that presents the main benefits of comparing multiple car insurance quotes. For more info and free online quotes, please visit https://compare-autoinsurance.Org/the-advantages-of-comparing-prices-with-car-insurance-quotes-online/ The modern society has numerous technological advantages. One important advantage is the speed at which information is sent and received. With the help of the internet, the shopping habits of many persons have drastically changed. The car insurance industry hasn't remained untouched by these changes. On the internet, drivers can compare insurance prices and find out which sellers have the best offers. View photos The advantages of comparing online car insurance quotes are the following: Online quotes can be obtained from anywhere and at any time. Unlike physical insurance agencies, websites don't have a specific schedule and they are available at any time. Drivers that have busy working schedules, can compare quotes from anywhere and at any time, even at midnight. Multiple choices. Almost all insurance providers, no matter if they are well-known brands or just local insurers, have an online presence. Online quotes will allow policyholders the chance to discover multiple insurance companies and check their prices. Drivers are no longer required to get quotes from just a few known insurance companies. Also, local and regional insurers can provide lower insurance rates for the same services. Accurate insurance estimates. Online quotes can only be accurate if the customers provide accurate and real info about their car models and driving history. Lying about past driving incidents can make the price estimates to be lower, but when dealing with an insurance company lying to them is useless. Usually, insurance companies will do research about a potential customer before granting him coverage. Online quotes can be sorted easily. Although drivers are recommended to not choose a policy just based on its price, drivers can easily sort quotes by insurance price. Using brokerage websites will allow drivers to get quotes from multiple insurers, thus making the comparison faster and easier. For additional info, money-saving tips, and free car insurance quotes, visit https://compare-autoinsurance.Org/ Compare-autoinsurance.Org is an online provider of life, home, health, and auto insurance quotes. This website is unique because it does not simply stick to one kind of insurance provider, but brings the clients the best deals from many different online insurance carriers. In this way, clients have access to offers from multiple carriers all in one place: this website. On this site, customers have access to quotes for insurance plans from various agencies, such as local or nationwide agencies, brand names insurance companies, etc. "Online quotes can easily help drivers obtain better car insurance deals. All they have to do is to complete an online form with accurate and real info, then compare prices", said Russell Rabichev, Marketing Director of Internet Marketing Company. CONTACT: Company Name: Internet Marketing CompanyPerson for contact Name: Gurgu CPhone Number: (818) 359-3898Email: [email protected]: https://compare-autoinsurance.Org/ SOURCE: Compare-autoinsurance.Org View source version on accesswire.Com:https://www.Accesswire.Com/595055/What-Are-The-Main-Benefits-Of-Comparing-Car-Insurance-Quotes-Online View photos