Inside a Firewall Vendor's 5-Year War With the Chinese Hackers Hijacking Its Devices (wired.com)
- Reference: 0175372911
- News link: https://it.slashdot.org/story/24/11/01/088213/inside-a-firewall-vendors-5-year-war-with-the-chinese-hackers-hijacking-its-devices
- Source link: https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/
Sophos [1]planted surveillance code on its own devices used by the hackers, allowing it to monitor their development of sophisticated intrusion tools, including previously unseen "bootkit" malware designed to hide in the firewalls' boot code. The hackers' campaigns evolved from mass exploitation in 2020 to precise attacks on government agencies and infrastructure across Asia, Europe and the United States. Wired story adds:
> Sophos' report also warns, however, that in the most recent phase of its long-running conflict with the Chinese hackers, they appear more than ever before to have shifted from finding new vulnerabilities in firewalls to exploiting outdated, years-old installations of its products that are no longer receiving updates. That means, company CEO Joe Levy writes in an accompanying document, that device owners need to get rid of unsupported "end-of-life" devices, and security vendors need to be clear with customers about the end-of-life dates of those machines to avoid letting them become unpatched points of entry onto their network. Sophos says it's seen more than a thousand end-of-life devices targeted in just the past 18 months.
>
> "The only problem now isn't the zero-day vulnerability," says Levy, using the term "zero-day" to mean a newly discovered hackable flaw in software that has no patch. "The problem is the 365-day vulnerability, or the 1,500-day vulnerability, where you've got devices that are on the internet that have lapsed into a state of neglect."
[1] https://www.wired.com/story/sophos-chengdu-china-five-year-hacker-war/
unsupported "end-of-life" devices? (Score:3, Insightful)
Seems like a firewall is not the sort of device that should just be unsupported by the manufacturer. Maybe they should build them to self destruct (auto-wipe) when no longer supported and the owner should be give a rebate for a supported product. Blame seems inappropriate here.
Re: (Score:2)
Wow, you make planned obsolescence sound like a good thing!
Re: (Score:2)
Because who doesn't want their firewall to suddenly go down in the middle of the night because it's reached EOL. What a fantastic concept.
Re: (Score:1)
I was assuming the owner of the product would have been sufficiently warned in advance their device was going off-line. Maybe the manufacturer could use the Microsoft EOL nagging method as a model. A firewall that is not supported and known to be vulnerable is not the answer and going down in the middle of the night would secure the network better than the vulnerable device.
Re: (Score:2)
You're running a nuclear fuel factory or something and you have the choice between an unpatchable firewall with known vulnerabilities or no Internet connection. Hm....
Of course, there's a third option. Don't buy expensive "appliances" from companies that don't support them.
State of neglect (Score:2)
Kind of ironic that Sophos talks about devices in a state of neglect, when their firewall product is still running on a 4.14 linux kernel.
Re: (Score:2)
not trying to defend sophos, but if it is custom os with all mitigations in place...
Interesting quote (Score:4, Insightful)
From the article, " The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls."
Doesn't the company's ability to do that represent a security hole? It means that their devices must include the capability for remote access that is invisible to the end user.
Re: (Score:2)
"Updates". If that capability surprises you, you must have found a very nice rock to live under.
Re:Interesting quote (Score:4, Informative)
Any firmware update is a potential security hole, so in that sense yes. Presumably the hackers would be wanting to run the latest firmware on their test hardware to test their exploit code against the latest, so they would leave auto updates on... then the update servers can just send different firmware to known suspect ip address ranges.
Re:Yeah, we believe you (Score:5)
I do not think the CIA could make an ongoing attack believably look like it's from China if China cracked down on domestic platforms this hypothetical CIA was using.
IP Spoofing only gets you so far in terms of faking an attack's origin.
That is to say: if it was the CIA, China would still arguably be complicit by failing to act on abusive services within the country.
Our media loves kicking up a storm of, let's call them "dubious", claims about China any chance they can get but the evidence outlined in this article is hard to fake.
Re: (Score:2)
It's pretty damned easy to trace where packets are coming from. And yes, a lot of malicious traffic does come from China. Anyone can fake the source address of their packets, but that only establishes one-way traffic from the faked address. (TCP/IP connections begin with a three-way handshake). One-way traffic is good enough for a DOS attack, but not very useful for interactive hacking on a device.