Sophos vs. State-Sponsored Hacks (EP 794)

[Uncle Marv]
Hello friends, Uncle Marv here with a very special edition of the IT Business Podcast. Today's newscast is going to focus on some news that I've just recently come across coming out of the world of Sophos. And if you are an old friend of the show and you saw the Sophos logo up there, you're probably thinking, hmm, did Marv partner with Sophos and leave SonicWall?

No, I did not. I am still with SonicWall, but we have a lot of good vendors in the space and Sophos is doing some great things. I've tried to get them on the show before but finally was able to get them here.

We're going to talk about all the great things that are doing. But first, let's get to that article that I told you about. And just this morning, there was an article put out on TechRadar.

I'll have a link for you in the show notes. And it basically reads, why paying the ransom is not always the answer. And as many of you know, ransomware is targeting all different types of sources.

Unfortunately, the numbers are getting more and more staggering. Apparently now, 94% of ransomware attacks are targeting backups and 57% of those succeed. Many businesses think that paying the ransom will solve their problems quickly, but the kicker is recovery costs can be up to 10 times higher than the ransom itself.

And we all know, paying the ransom doesn't guarantee that your data will be restored. And in a lot of cases, it could be corrupted or actually deleted completely. So of course, as managed service providers, IT solution providers, we need to know that the real solution is a recovery first mindset, investing in immutable backups, ransomware detection mechanisms, and a whole bunch of other stuff.

We'll get to that. I also want to mention that a couple of days ago, an article came out that also mentioned Sophos. Return of the P job rat.

It is an Android based ransom access Trojan. It had apparently been thought to be dormant for six years and it is now resurfaced and it is resurfaced with a vengeance. It disguises itself as a legitimate instant messaging app like Sandra light or C chat, which are distributed via WordPress sites instead of app stores.

And the new variant is more dangerous than its 2019 predecessor. It can run shell commands, steal sensitive data, including WhatsApp chats, and potentially use these infected devices to launch attacks on other systems. Now, while this particular campaign had been shut down, it ran for nearly two years, proving that attackers are playing the long game, that living off the land mentality.

So for MSPs, this is a reminder to educate clients about side loading apps and to reinforce mobile device management policies. So a lot of this has really become known to us due to a recent report released by Sophos. They have been doing a five year study and we're going to talk about that.

And to help me do that, I am bringing on a senior channel sales engineer from Sophos, Ryan Gebauer, and he joins me now to the show. Ryan, welcome to the IT business podcast.

[Ryan Gebauer]
Thank you for having me.

[Uncle Marv]
All right. So for most of our listeners out there, they know Sophos mainly as a firewall product, but you guys have been doing so much more over the years. So why don't we start first with letting our listeners know all the other things that Sophos has been doing?

[Ryan Gebauer]
Yeah, absolutely. So Sophos has been around for 40 years. One of the longest tenured companies in the industry.

And we do firewalls, like you said, Mark, but we also have an entire end-to-end cybersecurity portfolio, everything from endpoint and server protection to, you know, firewall, wireless products, and also, you know, everything from email protection and managed detection and response services is really where our bread and butter is in the industry. Because as we all know, you have to have them threat analysts protecting your environment 24-7. And if you don't have your own security operations center with a team of folks dedicated to cybersecurity, you need somebody doing that work for you.

So we do have the tool set for you to do it for yourselves, or if you need somebody to manage it for you, we also offer that as well, which is really our focus in the industry, allowing companies of all sizes to really best protect themselves from threats out there.

[Uncle Marv]
All right. Let us also talk about some of the things I know that for those that are using the firewalls, you guys recently came out with a new firmware release or added some security features in version 21 of your firewall software. I know briefly from reading it's enhanced security features and integration of third-party threat feeds.

I don't know what that means.

[Ryan Gebauer]
Yeah, no problem. Yeah, so our Sophos firewall uses an operating system called SFOS, Sophos Firewall Operating System. And we're on our version 21, which was our most recent major release.

And it came out with a bunch of really exciting features. Third-party threat feeds is one of those. So you may have those customers that come to you needing to have a requirement of subscribing to third-party threat intelligence websites, like GreyNoise, for example.

If you want to check that out, if you want to go to GreyNoise's website, you can absolutely go there and see what they're about. But what they do is they monitor threat activity in the wild. And we are able to take their intelligence and incorporate it into our firewall.

So anything that that site deems as malicious, it will automatically block it on the firewall.

[Uncle Marv]
So that's a real-time update that's happening.

[Ryan Gebauer]
That's right.

[Uncle Marv]
Okay. Is that kind of an AI-based thing as well?

[Ryan Gebauer]
Yeah, what it does is it's tied to the firewall using a URL and an authentication technique. So if you were to go to GreyNoise, it'll tell you how to incorporate it. So it'll give you a URL, for example, and it'll tell you how to authenticate to their site.

And it's really just a, you know, two-line communication between the threat intelligence site and the firewall where it monitors that activity.

[Uncle Marv]
Interesting. Is that similar to the RBL list that, I mean, people still use them, but I don't think we use them as much. But basically you just throw a tagline in there and whatever gets updated on the RBL list, it gets updated in the firewall.

So something similar to that? Yeah, something similar to that. Okay.

All right. You guys have also recently done some acquisitions, one of which was called SecureWorks. And what did they bring to the table for you?

[Ryan Gebauer]
Yeah, SecureWorks was a major announcement for us. And if you don't know SecureWorks, they used to be owned by Dell, but they have a very big presence in the enterprise space. And they have a very developed XDR tool set, not unlike our own, but they call theirs Tejas.

And they also bring a lot of functionality and features to the table where they are offering things like identity detection and response, vulnerability detection and response, which is going to augment our offerings as well, because we do have vulnerability management services where it's monthly scans to detect anything proactively within your network across your internet facing devices. And so that's going to augment that capability as well. And the other major component of SecureWorks is they offer a true SIM solution, something that Sophos lacked for compliance needs for those customers that need to meet that compliance or that checkbox, if you will.

So that'll be something that we are going to be able to offer in the future. But it is very, we're very new in our journey on combining our portfolios right now. So as we reach new milestones, we'll definitely update the community.

But yeah, as of right now, the acquisition just closed and now it's on to the next phase of our incorporation of the SecureWorks portfolio.

[Uncle Marv]
All right. Sounds great. And I’m for doing anything and everything we can to protect our perimeter for our clients.

Not everything can be done in the cloud. At least in my opinion, we still need some firewalls local, especially for devices that we can't put agents on and things of that nature. So great.

Let's turn our attention to this big report you guys have done. I went and got it. It's only nine pages, but I'm sure that was a summary of the full report.

And apparently this has been a five-year effort that started in 2018, where Sophos has basically been studying fiber attacks. Now I'm assuming because it says Pacific Rim where, you know, of course, China is the big name that most people are going to think about. But you've been studying those.

And let's start with what's some of the most surprising things that came out of that.

[Ryan Gebauer]
Yeah. So a little bit of history on Pacific Rim. Like you said, Marv, it was a five-year campaign that started in 2018 that we've been tracking.

So our Sophos X-Ops team has been looking at multiple state-sponsored Chinese-based groups that have been actively exploiting vulnerabilities on edge devices like firewalls, right? Not just Sophos, but any edge device. And what these groups are doing is they're using really highly sophisticated techniques to target these edge devices and then gain initial access and control in networks.

Now, how threat actors have adapted and elevated their abilities has been pretty amazing. I think the most surprising thing that came out of those reports is the fact that it was happening in waves. So in 2018, they were able to, you know, the first instance of what we saw was when they took over a digital signage display PC, which is always something that's on a shelf that everybody forgets about protecting, right?

So they got in that way.

[Uncle Marv]
You mean something like this on my shelf?

[Ryan Gebauer]
Yeah, yeah, yeah. You got it. And then they started pivoting, right?

And at first, like in the first wave of attacks, you know, they were noisy, okay? So they weren't really trying to hide themselves. So, and that included malware, doing connections back to command and control servers, that type of thing.

And then, you know, when we uncovered and stopped those connections, they actually were able to pivot and they were able to do stealthier attacks, you know, by setting up like operational relay boxes, which is a fancy way of saying that they were hiding where they truly were coming from, right? So they were able to mask their IPs and that type of thing. So I think the most surprising thing is really how they were able to, you know, it was seemingly activity that was rudimentary, but then when we stopped it, they upped their game, right?

So we knew we were dealing with something a lot more than just amateur power, right? It was something more intelligent. That's what, you know, kind of led us down the road of this has to be a state-sponsored group, right?

So, but what was really interesting is that, you know, after we were able to kind of get a foothold on them, you know, our whole goal was to try to stay ahead of them, right? So what we did was we did uncover the devices they were actually using that were hidden in the firewall and we were able to, you know, install a kernel on their devices and we were able to obfuscate it. So they couldn't, they didn't know that we were there.

So we were able to spy on them. And then we saw them developing their next phase of firmware or malware and planning their next phase of attacks. And we were able to patch our firewalls before they launched it.

So, but we had to do it in a way, because they were watching us, right? So we had to do it in a way where we weren't showing our hand, right? We wanted to make sure that we were still able to covertly, you know, spy on what they were doing, but also take what we were seeing of what they were developing and then make sure that we created patches and hot fixes to stop what they were about to do.

So it was a really tricky situation, but that was probably the most interesting thing that came out of that.

[Uncle Marv]
So that kind of reminds me of all those movies and TV shows where, you know, the feds are watching, you know, the mobsters, the mobsters know the feds are watching, but yet, you know, both are, are trying to play that cat and mouse game. Now was a lot of this based on just simply being able to monitor the traffic going in and out of the firewalls or did you have to go beyond that?

[Ryan Gebauer]
Yeah. So we had to, you know, we had to go beyond that because what they were doing is they were, they were hiding, you know, I'm a big analogy guy. So what they were doing was they were kind of putting themselves in sheep's clothing, right?

They were hiding their activity in HTTPS traffic that would, was able to traverse the firewall. So, you know, and, and, you know, they were doing this with various techniques, but they were hiding what they were doing inside trusted traffic. So they were able to get in there and then they were able to back door into their command and control environment.

So that's basically how they were doing it. But it was just really interesting in the fact that, you know, it didn't, we didn't pick up on it because that's exactly what a firewall is supposed to do. You know, it's supposed to be able to detect that type of activity, but they did it in such a way that we didn't, you know, that we haven't seen before.

You know, but once we got a hold on that, we were able to, able to find out what they were doing.

[Uncle Marv]
Right. Now, what I kind of gather from the report, you mentioned that you guys started in 2018 and understood the first strike and stuff. In 2020, the mass exploitation begins, which the year of our COVID made it super easy to start doing stuff in that year.

And then in 2022, everything became stealth. So was it as clean as it sounds where, you know, 2020, you know, everything goes wild and it takes a couple of years to kind of reel it in because of the fact that we were all doing remote stuff. And, you know, you probably didn't have the operations center fully staffed or, or things of that nature.

[Ryan Gebauer]
Yeah. Keep in mind a lot. Yeah.

In 2020, there was a big remote work from home movement, which means what everybody's standing up a VPN, right. To get remote access into their, into their environments. So the threat actors were really able to start taking advantage of that type of thing.

Taking advantage of vulnerabilities and VPNs and you know, in customers, they weren't really worried about locking down their VPN policies as much as they were just worried about making sure that their business stayed open by allowing people to still work because they couldn't go into an office.

[Uncle Marv]
Right.

[Ryan Gebauer]
So yes. And then, you know, you know, beyond that, you know, a couple of years later, we were able to get a, you know, get a hold on what they were doing. But it really just kind of lends itself to the fact that, you know, while you are worried about making sure that your doors stay open, you also have to keep in mind, you have to have a best practices with locking down and hardening all the aspects of your organization security wise.

Because if you don't, it's going to get exploited for sure.

[Uncle Marv]
Right. So this just tells me that this living off the land mentality that they do, we really have to pay attention to that. So outside of, you know, looking at the report, adding the tools and stuff, what are some things that, you know, we can tell IT professionals to do to, you know, first of all, notice when things are there?

Yeah. And then how to defend against those?

[Ryan Gebauer]
Yeah, I think it's, first of all, it's crucial really to have a process in place to keep your firewall. And quite frankly, all of your assets up to date, right? It's I mean, you know, from virtual machines in the cloud to software as a service platforms, right?

It's, it's, it's a shared responsibility model. It's not just if you're in the cloud, it's not just the cloud's responsibility to protect you, right? But you want to make sure that you're up to date on patching device hardening, you want to keep your hardware under a vendor supported platform, because what we've learned from the Pacific Rim reports is that when we started figuring out what they were doing and locking down and coming up with hot fixes to prevent things that they haven't even released yet, then they started going after legacy platforms. And there's a lot of customers out there that don't want to spend the money on updating their hardware, because it is expensive, you know, and we all get it, you know, we're trying to protect our bottom line. But the fact is, you have outdated hardware in your environment, if that's not being patched, or there's not hot fixes being released for it, it is a prime opportunity for those type of threat actors to get in your environment that way, because it's just not being supported by Sophos or SonicWall or anybody else.

Now, beyond having a supported platform, it's most important to have somebody monitoring your environment. So whether you're doing, whether you have a security operations center, like I said before, or you're paying for managed detection and response services, you just you have to have somebody dedicated to cybersecurity 24 seven, whether they're in your organization, or whether you're paying for a service to watch your environment, because if you're sleeping, I can guarantee you the threat actors are not right.

[Uncle Marv]
Now, I mentioned that the report that I got was nine pages, is there a more robust full report that is available?

[Ryan Gebauer]
So there are other reports that are available. So you may have read the one was it titled? What's it mean to you?

Like Pacific Rim? What's it to you? I think that's the main report that's out there.

Yes, there are other reports if you want to get if you really want to geek out like me, and you want to get down to the nitty gritty and you want to see exactly what we uncovered from a threat actor standpoint. And, you know, specifically, what vulnerabilities they took advantage of and how we patch them and what we did. There's reports out there that really get in the weeds on this.

But yeah, the report you read was really more of the high level of what happened.

[Uncle Marv]
All right, I'll put a link to the one that I had. And we'll find some other links to get to the more robust, geeky reports there. So just real quick, the takeaways that I took from the report are that you mentioned already regularly audit your client's edge devices, educate end users about phishing risks, partner with vendors who prior to or prioritize secure by design principles, which you guys are doing that layered approach, being able to look at internal devices as well.

But I mean, from this report, is there really one big takeaway that listeners should note?

[Ryan Gebauer]
Yeah, I think the biggest takeaway is that, you know, you just got to have a plan. Threat actors are opportunistic in their approach, okay? They're going to find a way in.

There's no silver bullet out there, right? There's no silver bullet that's going to stop every attack. The best thing we can do is just make sure that we are paying attention to everything we need to do.

When a vendor releases a hotfix, make sure you employ it right away. Don't wait, because sometimes there's vulnerabilities out there that are still a threat and a risk to customers, because it's two months or two years later and they haven't patched it, okay? And that's just an accident waiting to happen.

So I think the one takeaway is just making sure you have a solid plan as far as patching and updating, and then that's the best thing we can do. And the only thing that we can hope for is that we are doing more good things on our side to protect ourselves than the bad guys are doing out there to take advantage of us.

[Uncle Marv]
All right. So there you have it, folks. A look at what Sophos is doing to help fight against the nation's state actors out there.

Ryan, thank you for coming and spending some time with me. Yeah, it was a pleasure. We'll have to get you guys back more so I can find out more about the actual firewalls and maybe do a SonicWall versus Sophos Bakeoff or something.

[Ryan Gebauer]
Absolutely. I'm happy to return anytime.

[Uncle Marv]
All right. Well, folks, there you have it. Ryan Gebauer with Sophos Senior Channel Sales Engineer.

As we know, the battle against cyber threats is far from over, and Sophos X Ops continues its investigations. So that five-year study, Ryan, is like, I can't imagine that they're just done and they've reported it. Are they doing a new one or are they just continuing it?

[Ryan Gebauer]
It's an ongoing battle, right? It's a cat and mouse game, like you said before. So the fight continues, right?

So we're just always trying to stay one step ahead, which is all we can do by providing a comprehensive portfolio of security services end-to-end that you can manage effectively and easily. Artificial intelligence is playing a huge role in this, where we're making it easier to incorporate natural language for threat analysts to search in the XDR toolset for telemetry and finding suspicious activity out there. So artificial intelligence is going to play a really important role as we move forward in our product and services.

It currently plays a huge role right now as far as detecting zero-day threats, things that we've never seen before. So leveraging the technology, all we can hope for, like I said, is just to stay one step ahead, and I think we're doing pretty well right now.

[Uncle Marv]
All right. Well, thank you, sir, for all that you do. Thanks, Sophos, for doing this and hopefully learning from reports like the Pacific Rim report, we can strengthen our defense and stay one step ahead of the bad actors.

So that's going to do it for today's episode, folks. Thank you for tuning in. Be sure to check back for more from the IT Business Podcast.

We'll see you next time, and until then, holla!