Several proprietary implants have been launched by Sophos to combat increasingly sophisticated Chinese state-sponsored threat operations targeting zero-day vulnerabilities impacting firewalls since 2018, according to SecurityWeek.
Active exploitation of such flaws has particularly escalated beginning in early 2020, with the deployment of a targeted implant against Chinese attacker-controlled devices revealing the utilization of a clandestine remote code execution exploit, reported Sophos researchers. "Whereas previous exploits required chaining with privilege escalation techniques manipulating database values (a risky and noisy operation, which aided detection), this exploit left minimal traces and provided direct access to root," said Sophos. Further efforts by Sophos also resulted in the crackdown of the Chinese threat actor TStark, who primarily targeted critical infrastructure, healthcare, and government entities across the Asia-Pacific, as well as a collaboration with the Dutch National Cyber Security Centre in sequestering servers leveraged by the malicious actors. Such action has also prompted the endpoint detection and response vendor to develop "telemetry proof-of-value" tools aimed at bolstering threat monitoring activities.
