SophosOct 31, 2024
Kevin Beaumont

Tons of great Sophos research is dropping today which I’ll link in thread. China goes brrr.

I want to give them particular credit for directly talking about the cyber industry elephants in the room, both in the research and during media interviews

e.g. insecurity in appliances, need for industry change, monitoring threat actors through telemetry etc etc.

It’s really refreshing as they’re talking about what is *actually happening* - not all vendors do this.

https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/

Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices

Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.

WIRED
Oct 31, 2024 at 1:07pmWeb
Show threadKevin BeaumontOct 31, 2024

First one https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/

“Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns”

Threat actor calls themselves Tstark (lol) and has an SSH backdoor called libgoat

Pacific Rim timeline: Information for defenders from a braid of interlocking attack campaigns

Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices

Sophos News
Show threadKevin BeaumontOct 31, 2024

Next up https://news.sophos.com/en-us/2024/10/31/pacific-rim-neutralizing-china-based-threat/

“Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats”

Lots in there again but big one for me - the threat actor started blocking on appliance telemetry and breaking update process. They also developed patch bypasses.

Pacific Rim: Inside the Counter-Offensive—The TTPs Used to Neutralize China-Based Threats

Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices

Sophos News
Show threadKevin BeaumontOct 31, 2024

Another https://news.sophos.com/en-us/2024/10/31/digital-detritus-the-engine-of-pacific-rim-and-a-call-to-the-industry-for-action/

“Digital Detritus: The engine of Pacific Rim and a call to the industry for action”

Contains lots of bangers from a wider theme.

Digital Detritus: The engine of Pacific Rim and a call to the industry for action

Decades of obsolete and unpatched hardware and software endanger us all

Sophos News
Show threadKevin BeaumontOct 31, 2024

I’ve worked for two telcos now and one thing I’ll say - China goes brrrr…. a LOT.

If you sell security products to countries of interest to China - eg large populations of Uyghurs, Tibetan nationals etc - you should not be running apache as root on appliances, you should be monitoring telemetry, and your customers (and their customers) are in danger from highly determined threat actors.

The security industry needs to mature and to do that it needs to talk about it and make better products.

Show threadDragonOct 31, 2024
@GossiTheDog I'm sure it's not just China, It's everyone else as well.
Show threadBig GeorgeOct 31, 2024
@GossiTheDog lets go pFSense... ;-)
Show threadunicornCoder ☑️  Oct 31, 2024

@GossiTheDog

I don't know if you heard but Canadian government said that India has started ramping up its hacking of Canadians along with misinformation. Reported by the CBC News.

Show threadd0pp3l6ang3r  Oct 31, 2024

@GossiTheDog This was fascinating, how common is this in the industry where attackers use bug bounty to burn their vulns after their objectives are met?

"On one occasion, for instance, the exact vulnerability used in a hacking campaign was reported to Sophos by a researcher with a Chinese IP address just after it was first used in an exploitation campaign—Sophos paid the researcher $20,000 for their findings."

Show threadAndrew 🌻 Brandt 🐇Oct 31, 2024
@d0pp3l6ang3r @GossiTheDog I had never heard of this happening before.
Show threadAndrew 🌻 Brandt 🐇Oct 31, 2024
@GossiTheDog thanks for this!