U.S. Accuses Chinese National of Hacking 81,000 Sophos Firewalls Using Zero-Day Exploit

December 11, 2024

On Tuesday, the U.S. government unveiled charges against a Chinese individual named Guan Tianfeng, also known as gbigmao and gxiaomao. Guan is alleged to have breached thousands of Sophos firewall devices globally in 2020. He was reportedly employed by Sichuan Silence Information Technology Company, Limited. The charges against him include conspiracy to commit computer fraud and conspiracy to commit wire fraud. Guan is accused of creating and testing a zero-day security vulnerability that was utilized in the attacks on Sophos firewalls.

The U.S. Federal Bureau of Investigation (FBI) stated, "Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls." The FBI noted that the exploit was used to infiltrate approximately 81,000 firewalls.

The zero-day vulnerability involved in the attack is CVE-2020-12271, a severe SQL injection flaw that could be exploited by a malicious actor to execute remote code. The Sophos firewall was susceptible to this flaw. In late October 2024, Sophos reported receiving a bug bounty report about the flaw in April 2020 from researchers linked to Sichuan Silence's Double Helix Research Institute. The flaw was exploited in real-world attacks to steal sensitive data using the Asnarök trojan, including usernames and passwords.

In March 2022, Sophos received another report from an anonymous researcher based in China detailing two separate flaws: CVE-2022-1040, a critical authentication bypass flaw in Sophos firewalls that allows a remote attacker to execute arbitrary code, and CVE-2022-1292, a command injection bug in OpenSSL. The exploitation of CVE-2022-1040 in the wild has been given the codename Personal Panda.

The U.S. Department of Justice (DoJ) stated, "Guan and his co-conspirators designed the malware to steal information from firewalls." They also registered and used domains that appeared to be controlled by Sophos to better hide their activity. When Sophos began to implement countermeasures, the threat actors modified their malware, deploying a Ragnarok ransomware variant if victims attempted to remove the artifacts from infected Windows systems. However, these efforts were unsuccessful, according to the DoJ.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions against Sichuan Silence and Guan, stating that many of the victims were U.S. critical infrastructure companies. Sichuan Silence is believed to be a Chengdu-based cybersecurity government contractor that provides services to Chinese intelligence agencies. These services include network exploitation, email monitoring, brute-force password cracking, and public sentiment suppression. Sichuan Silence is also said to provide clients with equipment designed to probe and exploit target network routers.

In December 2021, Meta announced that it had removed 524 Facebook accounts, 20 Pages, four Groups, and 86 accounts on Instagram associated with Sichuan Silence that targeted English- and Chinese-speaking audiences with COVID-19 related disinformation. The U.S. Treasury noted that more than 23,000 of the compromised firewalls were in the United States, with 36 protecting systems of U.S. critical infrastructure companies. The Treasury warned of the potential impact of the Ragnarok ransomware attack, stating that it could have resulted in serious injury or the loss of human life if the victims had not patched their systems or if cybersecurity measures had not quickly remedied the intrusion.

The Department of State has announced rewards of up to $10 million for information about Sichuan Silence, Guan, or other individuals who may be participating in cyber attacks against U.S. critical infrastructure entities under the direction of a foreign government. Ross McKerchar, chief information security officer at Sophos, stated, "The scale and persistence of Chinese nation-state adversaries poses a significant threat to critical infrastructure, as well as unsuspecting, everyday businesses. Their relentless determination redefines what it means to be an Advanced Persistent Threat; disrupting this shift demands individual and collective action across the industry, including with law enforcement. We can't expect these groups to slow down, if we don't put the time and effort into out-innovating them, and this includes early transparency about vulnerabilities and a commitment to develop stronger software."

Related News

• Custom 'Pygmy Goat' Malware Targets Sophos Firewall in Government Network Attack

Latest News

• Termite Ransomware Group Suspected Behind Zero-Day Exploits in Cleo Software
• High-Severity Bug in WPForms Plugin Exposes Millions of WordPress Sites to Stripe Refunds
• Microsoft NTLM Zero-Day Vulnerability Unresolved Until April
• Earth Minotaur Threat Group Targets Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor
• Mitel MiCollab Collaboration Platform Faces Unresolved Zero-Day Vulnerability