Sophos Battled Chinese State-Sponsored Hacking Campaigns for Five Years

Zero-click bug in Synology devices allowed backdoor access, FBI says get rid of remember-me cookies, Iran's Emennet Pasargad accused of Olympics hacking, Ex-employee hacked Disney World restaurant menus, US adversaries target minority populations, Phishing campaign promotes fake products, much more

Sophos Battled Chinese State-Sponsored Hacking Campaigns for Five Years
Image by David Yu from Pixabay

Editorial update: Regarding yesterday's lead item on Metacurity, after initially denying that its tracking tool was wiped out by a cyberattack on one of its vendors, DHL admitted that an incident had occurred. A DHL spokesperson told Metacurity, "DHL Supply Chain UK is aware of a downtime incident impacting a third-party supplier which we use. We can confirm this incident has not affected DHL-owned systems. However, as a precaution we have implemented appropriate safeguarding measures. We are working to resolve the situation and have implemented contingencies to ensure that service levels are maintained for those customers who may be potentially impacted."

Yesterday's Metacurity newsletter was updated twice to reflect these developments.


Sponsor Message

Armed with a complete view of your organization’s software assets, Anchore allows you to find and prevent malicious content from reaching your users. Anchore’s end-to-end, SBOM-powered software supply chain security management platform protects you and your customers at every step, from SBOM monitoring to policy enforcement to remediation. Anchore integrates at every stage of the software development process, from source code to build to runtime. Every package, every library, every version is cataloged and stored. This enables organizations to find out where content is, where it came from, and how it changed.

Are you interested in sponsoring Metacurity? Email info [at] Metacurity.com with the subject line "Sponsorship."


In a series of reports it calls "Pacific Rim, "the UK cybersecurity firm Sophos details how, for five years, it engaged in a cat-and-mouse game with one loosely connected team of Chinese adversaries who targeted its firewalls.

The company tracked down and monitored the specific devices on which the hackers were testing their intrusion techniques, surveilled the hackers at work, and ultimately traced that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

While installing its implants on the devices, Sophos identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products. Eventually, they became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets Sophos declined to identify in greater detail were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

Sophos' report ties those multiple hacking campaigns, with varying levels of confidence, to Chinese state-sponsored hacking groups, including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids.

However, the company says the common thread throughout those efforts to hack Sophos' devices is not one of those previously identified hacker groups but a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government.

Sophos' analysts tie that exploit development to an academic institute and a contractor around Chengdu: Sichuan Silence Information Technology, a firm previously tied by Meta to Chinese state-run disinformation efforts, and the University of Electronic Science and Technology of China. (Andy Greenberg / Wired)

Related: Bleeping Computer, Sophos News, The Stack, Sophos NewsSecurityWeekInfoRiskToday.com, Help Net Security, Tech Radar, Infosecurity Magazine, Dark Reading

The bug, CVE-2024-10443, would allow attackers to gain access to the devices to steal personal and corporate files, plant a backdoor, or infect the systems with ransomware to prevent users from accessing their data.

The SynologyPhotos application package is preinstalled and enabled by default on Synology’s BeeStation storage devices. Still, it is also a popular application downloaded by users of its DiskStation storage systems, which allows users to augment their storage capacity with removable components.

Several ransomware groups have targeted network-attached storage devices made by Synology and others in recent years, going back to at least 2019. Earlier this year, users of Synology’s DiskStation system specifically reported being hit with ransomware.

De Jager and colleagues Carlo Meijer, Wouter Bokslag, and Jos Wetzels scanned internet-connected devices. They uncovered hundreds of thousands of Synology NASes connected online, vulnerable to the attack. The researchers say, however, that millions of other devices are potentially vulnerable and accessible to the attack.

They and the Pwn2Own organizers notified Synology about the vulnerability last week. (Kim Zetter / Wired)

Related: Midnight Blue, Synology

RISK:STATION Coordinated Vulnerability Disclosure. Source: Midnight Blue.

The FBI's Atlanta Division warned that cybercriminals are stealing cookies from people's computers to access their email accounts.

A "remember-me" cookie explicitly remembers a user's login information and usually lasts for about 30 days before it expires, the FBI said, which is the type of cookie the FBI says online hackers are targeting to enable them to bypass multi-factor authentication and gain access to people's email accounts.

Many victims unknowingly give their cookies to hackers while visiting shady websites or clicking on phishing links that load malicious software onto personal computers.

The FBI is advising people to regularly remove cookies from their Internet browsers, avoid suspicious links or websites, and only visit websites that use HTTPS secure connections.

People also should monitor their recent device login history by using their account histories to spot unusual activity. (Mike Heuer / UPI)

Related: FBI, Forbes

Remember me cookie. Source: FBI

The US Department of Treasury and Israel National Cyber Directorate joined the FBI in publishing an advisory this week about the operations of Emennet Pasargad, a well-known Iranian cyber operation previously implicated in hacking attempts targeting Israel and the 2020 US presidential election and now accused of attempting to take over display boards to denounce Israel at the 2024 Summer Olympics.

The group has been using a company named Aria Sepehr Ayandehsazan (ASA) as cover for operations that researchers have tagged under various names, including “Cotton Sandstorm” and “Haywire Kitten.”

“The group exhibited new tradecraft in its efforts to conduct cyber-enabled information operations into mid-2024 using a myriad of cover personas, including multiple cyber operations that occurred during and targeting the 2024 Summer Olympics – including the compromise of a French commercial dynamic display provider,” the advisory said.

The advisory said ASA has also attempted to harvest content from IP cameras, which are commonly used to take surveillance videos, and used online artificial intelligence tools.

“Since 2023, the group has exhibited new tradecraft including the use of fictitious hosting resellers to provision operational server infrastructure to its own actors as well as to an actor in Lebanon involved in website hosting.”

According to the FBI, the hackers used various tools to take over the unnamed French commercial dynamic display provider in July 2024. Their goal was to “display photo montages denouncing the participation of Israeli athletes in the 2024 Olympic and Paralympic Games.” (Jonathan Greig / The Record)

Related: IC3.gov

Iranian camera content obtained by ASA. Source: FBI.

According to a federal criminal complaint, Michael Scheuer, a disgruntled former Disney employee, allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World’s restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings.

The complaint alleges that Scheuer broke into a proprietary menu creation and inventory system developed by a third-party company exclusively for Disney, which is used to print menus for its restaurants. He did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in one case, broke the software for several weeks.

According to the complaint, Disney contracted a company (listed as “Company B”) to build a “Menu Creator” software that is proprietary only to Disney and is used for food inventory management, menu creation, printing, and pricing. The complaint alleges that Scheuer repeatedly “manipulated the menus” to change prices and add profanity but also “made several menu changes that threatened public health and safety” by changing peanut allergy information.

It alleges that he initially used login credentials from his time at Disney, then later broke into Company B’s FTP servers using separate logins after Disney reset login passwords to the Menu Creator program.

Employees at Disney initially became aware of the intrusion because all of the fonts in the menu creator program were changed to windings. (Jason Koebler / 404 Media)

Related: Court Watch, Court Listener, USA Today, CBS News, NBC News, CNN, Orlando Sentinel, The Register, WFTV, Florida Politics

A diagram of the alleged intrusions. Source: Criminal complaint.

According to US intelligence officials and disinformation researchers, US adversaries have targeted Spanish-language speakers and other minority groups in efforts to influence the presidential election, seeking to fan internal social divisions and elevate their favored candidate through disinformation and propaganda.

Aided by artificial intelligence, Iran has created websites that pose as legitimate local news sources to target both Muslim and Black populations in the US, including in swing states, experts said. However, the sites appear to attract minimal readers. In a far more significant effort, Russia has invested heavily in overt and covert efforts to create Spanish-language content, which officials and experts said have grown considerably since Moscow sought to influence the last two presidential elections. 

Moscow favors Trump, while Tehran prefers Harris to win, according to U.S. intelligence agencies. The two US adversaries have denied attempting to meddle in the US election. (Dustin Volz and Vera Bergengruen / Wall Street Journal)

According to HUMAN's Satori Threat Intelligence team, a phishing campaign dubbed 'Phish n' Ships' has been underway since at least 2019, infecting over a thousand legitimate online stores to promote fake product listings for hard-to-find items.

Unsuspecting users clicking on those products are redirected to a network of hundreds of fake web stores that steal their details and money without shipping anything.

HUMAN's researchers say the campaign has impacted hundreds of thousands of consumers, causing estimated losses of tens of millions of dollars.

HUMAN and its partners coordinated a response to Phish n' Ships, informing many of the impacted organizations and reporting the fake listings to Google so they could be removed. Most malicious search results have been cleaned, and nearly all identified shops have been taken offline.

Payment processors who facilitated cashouts for the fraudsters were informed accordingly and removed the offending accounts from their platforms, significantly disrupting the threat actor's ability to generate profit. (Bill Toulas / Bleeping Computer)

Related: Human Security, Silicon Angle, SC Media

A diagram of the attack from the attacker's perspective. Source: Human Security.

Police wiretaps leaked to Italian media show that Equalize, which allegedly hacked information on thousands of people, including politicians, entrepreneurs, athletes, and even musicians across Italy, is accused of working for Israeli intelligence and the Vatican.

According to the leaked wiretaps, members of the hacking network, including Nunzio Samuele Calamucci, whom prosecutors accuse of orchestrating the scheme, met with two Israeli agents at the firm's office in Milan in February 2023 to discuss a task worth €1 million.

The job was a cyber operation against Russian targets, including President Vladimir Putin's unidentified "right-hand man. " The mission involved unearthing the financial trail leading from the bank accounts of wealthy figures to the Russian mercenary group Wagner. The information was then supposed to be passed on to the Vatican.

The leaked documents do not explain why Israeli intelligence and the Vatican were involved with the controversial Milan firm or their reasons for soliciting information on Russian targets. Still, their presence in the dossier has dramatically expanded the scope of Italy's sprawling investigation. (Hannah Roberts and Antoaneta Roussi / Politico EU)

Related: La Repubblica

According to the UK National Society for the Prevention of Cruelty to Children (NSPCC), online grooming crimes have reached record levels in the UK, with more than 7,000 offenses recorded by police over the last year for the first time.

The charity said the figures, provided by 45 UK police forces, showed that 7,062 sexual communication with a child offenses were recorded in 2023-24, a rise of 89% since 2017-18, when the offense first came into force.

Where the means of communication was disclosed – in 1,824 cases – social media platforms were often used, with Snapchat being named in 48% of those cases.

Meta-owned platforms were also found to be popular with offenders, with WhatsApp named in 12% of those cases, Facebook and Messenger in 12%, and Instagram in 6%.

In response to the figures, the NSPCC has urged online regulator Ofcom to strengthen the Online Safety Act. (Martyn Landi / The Independent)

Related: BBC News

The San Joaquin County Superior Court in California said that "significant connectivity issues" it had been experiencing were due to a cybersecurity incident.

Court hearings scheduled for remote appearances on Oct. 30 were rescheduled. Additionally, phone and fax service, juror reporting instructions and information, e-filing, the court website and online services, and credit card payment processing were all unavailable.

The court said it has engaged with third-party cybersecurity experts to continue investigating the cause and remediating it. Officials said the primary goal will be to restore impacted systems as quickly as possible.

The court has some manual workarounds, but phone lines and internet services remain unavailable.

Officials said jurors summoned for the week of Oct. 28 and in groups 138 through 150 were excused. (Lindsay Weber / KCRA)

Related: The Stockton Record, ABC10

Microsoft finally revealed that it would charge consumers $30 for a year of extra security updates for Windows 10.

Support for Windows 10 will end on October 14th, 2025, but for the first time, consumers will be able to purchase a single year of Extended Security Updates (ESU) for $30.

While businesses will be charged $61 for a single year of ESU, they also have the option to pay $122 for a second year and then $244 for a third year of updates. Microsoft will only offer consumers a single year if they’re willing to pay the $30 fee. (Tom Warren / The Verge)

Related: Windows BlogThe RegisterHow-To Geek, PCWorldMakeUseOfZDNETTom's GuideEngadget, PCMag Ars TechnicaBleepingComputerDigital TrendsTom's HardwareTweakTownXDA Developers, r/technology, r/technews, r/windows

Bug bounty platform Bugcrowd announced that it has secured a $50 million growth capital facility from Silicon Valley Bank (SVB).

The financing, provided by SVB’s Enterprise Software Group, will enable Bugcrowd to scale its platform, fuel innovation further, and leverage strategic M&A opportunities. (Eduard Kovacs / Security Week)

Related: Bugcrowd, Silicon Valley Bank, FinSMEs

AI-powered application security company Noma announced it had raised $32 million in venture capital funding.

Ballistic Ventures and Glilot Partners, security syndicate Cyber Club London (CCL), and a lineup of angel investors participated in the round. (Kyle Wiggers / TechCrunch)

Related: Noma Security Inc., VentureBeatSiliconANGLE, Noma Security

Cybersecurity firm Proofpoint has announced plans to acquire Normalyze, which specializes in data security posture management (DSPM).

The deal, expected to close sometime in November, will see Normalyze's AI-based DSPM technology integrated into Proofpoint's human-centric security platform. (Emma Woollacott / ITPro)

Related: Business Wire, Channel E2E, MSSP Alert, Channel Futures, Bank Info Security

Everfox (formerly Forcepoint Federal), a global provider of insider risk solutions and services, has agreed to acquire Yakabod, a case management software provider for security-driven organizations.

Everfox says the acquisition solidifies the multi-year partnership between Everfox and Yakabod, during which they jointly enhanced governance capabilities across insider risk, cyber incident management, and other security-focused use cases.

Best Thing of the Day: No One Ever Gets Tired of Cat Pictures

A hacker who uses the handle GaryOderNichts found a way to break into Nintendo's recently launched Alarmo clock and run custom code on the device that displays a cat's picture.

Worst Thing of the Day: Same As It Ever Was

A new study from the University of Washington shows that AI tools used to process job applications favored white-associated male names.

Closing Thought

Read more