InfoSecBulletin Cybersecurity for mankind
On 10Th December, 2024 The US Department of Justice said in a press release that a Chinese-born man named Guang Tianpeng was indicted on charges for hacking attempt about 81,000 firewalls worldwide in 2020. The country announced a $10 million reward for information leading to his arrest on Tuesday.
Guan and his co-conspirators, employed by Sichuan Silence Information Technology Co. Ltd., targeted a previously unknown vulnerability (“0-day” vulnerability) in certain firewalls sold by U.K.-based Sophos Ltd. (Sophos) – an information technology company that develops and markets cybersecurity products.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
The U.S. Department of State has announced rewards of up to $10 million for information leading to the identification or location of Guan or anyone engaged in malicious cyber activities against U.S. infrastructure under foreign control. Additionally, the U.S. Department of the Treasury has imposed sanctions on Sichuan Silence and Guan.
In 2020, Guan and his associates allegedly targeted 0-day vulnerability (CVE 2020-12271) in around 81,000 Sophos firewalls globally, including in Indiana. The malware was designed to steal information from the firewalls and was disguised using domains resembling Sophos. Sophos detected the breach and quickly patched the vulnerability within two days. In response, the attackers modified their malware to deploy ransomware if victims tried to remove it. Although their encryption efforts failed, it highlighted their disregard for potential harm.
In October, Sophos published a series of articles detailing its “Pacific Rim” investigation, which tracked PRC-based advanced persistent threat groups targeting its network appliances for over five years, it described as “unusually knowledgeable about the internal architecture of the device firmware. One of the attacks in the report involved CVE-2020-12271. Following Sophos’ revelations, the FBI called for information on intrusions into Sophos edge devices and continues to seek details on PRC-sponsored cyberattacks targeting network security appliances.
And ultimately The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is sanctioning the Chinese cybersecurity company Sichuan Silence Information Technology and its employee, Guan Tianfeng, for their involvement in the April 2020.
Special Agent in Charge Herbert J. Stapleton of the FBI Indianapolis Field Office said, “If Sophos had not rapidly identified the vulnerability and deployed a comprehensive response, the damage could have been far more severe. Sophos’s efforts combined with the dedication and expertise of our cyber squad formed a powerful partnership resulting in the mitigation of this threat.”
In the whole incident, Sophos plays a crucial role as a cybersecurity firm in both preventing widespread damage and responding effectively to the exploitation of a vulnerability.
Here’s a breakdown of Sophos’s role in this cyber attack:
Discovery of the Vulnerability and Response:
Sophos swiftly identified the 0-day vulnerability (CVE-2020-12271) in its firewall devices. The company’s rapid detection and response within two days were crucial in minimizing the attack’s impact. Sophos quickly deployed updates to secure its customers’ systems and prevent further exploitation, avoiding a more severe global impact on organizations.
Collaboration with Law Enforcement:
Sophos effectively collaborated with law enforcement, especially the FBI, to combat cyber threats. The FBI and other agencies commended Sophos for its technical expertise and support in stopping cybercriminals and safeguarding affected networks. This partnership highlights Sophos’s strong reputation in cybersecurity. Their involvement helped prevent further damage and enabled authorities to collect evidence for the indictment of the cybercriminals.
Proactive Threat Intelligence:
Sophos, in its “Pacific Rim” report, detailed its proactive approach to cybersecurity. The company has been monitoring and detecting threats from Chinese advanced persistent threat (APT) groups that have targeted its devices for years. Sophos’s research and threat tracking strengthen its position as a vital cybersecurity provider, keeping the community informed about potential risks.
Protection of Critical Infrastructure:
Sophos played a crucial role in protecting critical infrastructure, including U.S. government and private sector networks. The attack aimed at vital network security devices, which, if breached, could have weakened global cybersecurity efforts. Sophos acted quickly to secure infected firewalls to stop the malware from spreading and preventing potential data theft or system shutdowns.
Reputation and Expertise:
The case demonstrates that Sophos is more than a cybersecurity provider; it is an expert in detecting and responding to complex cyber threats. Their quick and skilled response showcases the importance of strong cybersecurity solutions in protecting against evolving risks.
Sophos was crucial in detecting the security breach, responding swiftly to limit damage, and working with law enforcement to hold the culprits accountable. Their actions helped protect affected organizations and individuals, preserving trust in their cybersecurity products.
