Guan, a security researcher, discovered Zero-day vulnerability In a firewall product developed by UK-based security firm Sophos. He took advantage of the weakness, nominated. CVE 2020-12271Using a SQL injection attack which retrieved the script from the malicious server and executed it remotely. Guan and his co-conspirators had registered legitimate server domains, such as sophosfirewallupdate.com.
The script, part of the malicious Asnarök Trojan toolkit, was initially designed to steal data such as usernames and passwords from firewalls and the computers behind them and send them to Chinese IP addresses. If the victim tries to restart their device, Ragnarok ransomware will automatically install, disable antivirus software and encrypt every Windows device on the network.
However, within two days of the attack, Sophos deployed a patch to the affected firewalls that did not require a restart and removed all malicious scripts. Guan then modified the malware to install the ransomware when he discovered the Sophos mitigation, but the patch prevented it from working.
According to one The now unsealed indictment At Govan, its conspirators saw information about the Sophos patch on the company’s website in May 2020 and tested the latest version of the exploit a few days later.
The Treasury sanctioned both Sichuan Silence and Guan Tianfeng, meaning all of their US-based assets will be blocked, and organizations and individuals prohibited from engaging in transactions involving funds, goods or services with them. will
“Today’s action underscores our commitment to uncovering these malicious cyber activities — many of which pose a significant threat to our communities and our citizens — and holding the actors behind them to account for their schemes. to be held accountable,” Bradley T. Smith, Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence, said in a Press release.
Rewards of up to $10 million are available for information about Gowan or other state-sponsored cyberattacks. Goan is believed to be Lives in China’s Sichuan Province.Although he may also travel to Bangkok, Thailand.
Tens of thousands of firewalls used by critical infrastructure companies were compromised.
Between April 22-25, 2020, approximately 81,000 Sophos XG firewalls used by companies worldwide were compromised. More than 23,000 of these firewalls were used by US organizations, and 36 were used for critical infrastructure.
Compromising critical infrastructure—such as utilities, transportation, telecommunications, and data centers—can cause widespread disruption, making it a prime target for cyberattacks. A recent report by Malwarebytes found that the services industry was the most affected by ransomware. About a quarter of global attacks.
See: 80% of major national infrastructure companies experienced an email security breach in the past year
One victim was a US energy company that was drilling for oil when the Sichuan Silence ransomware was deployed. The Treasury Department’s Office of Foreign Assets Control says human lives could have been lost if oil rigs had been damaged as a result of the attack.
Who is Sichuan quiet?
Sichuan Silence is a cyber security contractor primarily based in Chengdu. Chinese intelligence services were hired.. China has it. Denied hacking allegations. Created by the US in the past but has been consistently linked to cyber attacks in the US
This month, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency identified the threat actors associated with China. “Compromised Networks at Multiple Telecommunications Companies.”
See: The China-linked attack targeted 260,000 devices, the FBI confirmed
According to the Treasury, Sichuan Silence provides clients with tools and services to hack into networks, monitor emails, brute force password cracking, and exploit network routers. The organization’s website also states that it has products that can scan overseas networks for intelligence information.
A pre-positioning device – a tool that installs malicious code into a target network to set up a future cyber attack – was used by Guan in April 2020 and was found with Sichuan Silence. The attacker also competed in cybersecurity tournaments on behalf of his company and posted zero-day exploits he discovered on forums using the handle “GbigMao”.
In November 2021, Metta reported the dismantling of a coordinated disinformation campaign linked to the Sichuan silence. who falsely claimed that the US was interfering with the World Health Organization’s investigation into COVID-19 operations. The disinformation was spread by hundreds of fake Facebook and Instagram accounts and was disseminated by Chinese state media and government-linked organizations.
“The scale and persistence of Chinese nation-state adversaries poses a significant threat to critical infrastructure as well as to unsuspecting, everyday business as described in Sophos. Pacific Rim Investigative ReportRoss McKercher, CISO at Sophos told TechRepublic.
“Their relentless commitment redefines what it means to be an advanced persistent threat; disrupting this transformation calls for individual and collective action across the industry, including with law enforcement agencies.” .
“We can’t expect these groups to slow down if we don’t invest time and effort in modernizing them, and that includes early transparency about vulnerabilities and a commitment to building robust software.”
Attacks on infrastructure are on the rise.
Attacks on critical infrastructure are growing in popularity. In late 2023, the FBI made a revelation. A massive botnet attack Created by the Chinese hacking group Volt Typhoon, hundreds of privately owned routers in the US and its overseas territories.
Threat actors have targeted and compromised the IT environments of US communications, energy, transportation, and water infrastructure. Typhoon Volt has carried out hundreds of attacks on critical infrastructure since becoming active in mid-2021.
See: Why critical infrastructure is vulnerable to cyber attacks
Other notable attacks on critical infrastructure in recent years include 2021. Colonial Pipeline Incident The company — responsible for 45 percent of East Coast fuels, including gas, heating oil, and other forms of petroleum — discovered it had been hit by a ransomware attack and had to temporarily suspend all pipeline operations. It was forced to shut down some of its systems while temporarily halting.
Sand worm and affiliates of Black bag The ransomware-as-a-service organization has also targeted critical infrastructure around the world. Both firms have links to Russia.
In May, USCIS and several international cyber authorities warned of pro-Russian hacktivist attacks. Targeting operational technology providers Often used in important industries. The advisory highlighted “sustained malicious cyber activity” against water, energy, food and agriculture businesses between 2022 and April 2024.
In addition to strict uptime requirements, there are OT organizations managing critical infrastructure. Known to rely on legacy devices.As changing technology while maintaining normal operations is difficult and expensive. This makes them both accessible and likely to pay a ransom, as there will be serious consequences for being shut down.