The Pacific Rim cyberattack saga, detailed in a series of blog posts by Sophos in October 2024, offers a sobering reminder for enterprises: everyone is a target. No enterprise is too small or uninteresting to fall into the attack path of nation-state threat actors.
Widely used firewalls and other network infrastructure devices have proven to be valuable stepping stones for China-sponsored adversaries as part of broader campaigns to gain access and persist in a wide range of government and private organizations. The Pacific Rim campaign adds another instance to the growing list of threat actors using UEFI implants to attempt to quietly compromise and maintain persistence in undermonitored network infrastructure.
Almost certainly, Sophos is not the only vendor being targeted using similar tactics, techniques, and procedures. As we noted in our prior post about the Pacific Rim campaign, other potential vendor targets are F5, Palo Alto Networks, Ivanti, Fortinet, Cisco, Dell, Juniper, SonicWall, and Barracuda because many of these appliances are commodity hardware based on x86 systems with UEFI firmware.
Organizations with Sophos firewalls should increase their monitoring and scrutiny of their Sophos equipment and other network infrastructure for vulnerabilities and indicators of compromise (IoCs).
Eclypsium Detects Pacific Rim IOCs and Discovers Vulnerable Devices
- Discover vulnerable systems: Eclypsium can discover whether Sophos equipment in an environment is running firmware that is vulnerable to CVE-2022-3236, a Remote Code Execution (RCE) vulnerability that was exploited in the Pacific Rim campaign.
- Detect IOCs: Additionally, Eclypsium offers detections for many IOCs related to tactics and techniques used in the Pacific Rim campaign.
- Verify device and firmware integrity: Eclypsium can check whether firmware has been tampered with or altered to allow attackers to evade detection and achieve persistence.
Eclypsium detections of Pacific Rim IoCs and TTPs include:
- Presence of the Linux/Winnti-T malware
- Presence of the Asnarök malware used to establish a backdoor in Sophos XG firewalls
- Presence of accounts associated with Sophos’ India-based subsidiary Cyberoam, which were compromised as part of the Pacific Rim campaign
- Indicators of the use of Covert Channels
- Indicators of the remote code execution (RCE) vulnerability designated CVE-2022-3236
- Many more…
Cyberattacks that target network infrastructure, and specifically security solutions such as firewalls, are increasingly common. Enterprise network infrastructure offers an appealing target to attackers seeking to maintain stealthy persistence during a campaign, as such infrastructure is not as closely monitored as other enterprise assets such as Windows and Linux workstations.
Detections related to the Pacific Rim campaign are underpinned by Eclypsium’s unique visibility into the firmware and other undermonitored components present in many enterprise network appliances. Eclypsium’s detection of these tactics is due to our ability to observe and detect dozens of IOCs, including ASNs, domains, usernames, file names, hashes, IP addresses, domain registrars, and more. Eclypsium customers can contact their account executive for a deeper dive into these capabilities.
Further Reading:
- TAG Cyber Report: Why Supply Chain Security Demands a Focus on Hardware
- Pacific Rim: Chronicling a 5-year Hacking Escapade
- Sophos: Pacific Rim Timeline: Information for defenders from a braid of interlocking attack campaigns
- The Rise of Chinese APT Campaigns: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant
