Analysis and opinion: Sophos and the broken vow
Sophos has installed monitoring software on its customers' systems for years – in the name of security, of course. Jürgen Schmidt takes a critical view of this.
(Image: heise online/Titima Ongkantong/Shutterstock.com)
After the eventful Wednesday with Trump's re-election and the break-up of the traffic light government, it is not easy to focus on IT security. Yet, there are also major upheavals in this area. Largely unnoticed by the public, Sophos has broken a taboo among antivirus manufacturers and is even selling it as a heroic deed: they have developed their own spyware and placed it specifically on customers' systems to spy on them. This was actually an unwritten law of the industry: We do not develop malware and, in particular, we do not use it to spy on our customers.
Sophos has now publicly broken this –, of course, only to catch the bad guys™ and stop their misdeeds. Before I discuss the significance of this, a few sober facts. Sophos has – as they document themselves in their Operation Pacific Rim – significantly expanded the collection of automatically collected telemetry data as early as mid-2020. They did this not for optimization or to find bugs in the software, but in response to attacks on their network appliances, which were then misused for further attacks – as so-called operational relay boxes, for example.
Specifically, Sophos wanted to track down those who detect security vulnerabilities in their firewall and VPN appliances and then develop techniques that are actually exploited. In this context, they analyzed commands executed on the command line and registered suspicious activities, such as the use of scanning tools like masscan. Sophos rolled out the advanced telemetry collection features via hotfixes:
"By combining telemetry data received from the hotfixes with test license registration data and web analytics, X-Ops analysts were able to create a timeline for attack preparation. [...] Most notably, a single device was identified with suspicious activity dating back to February 2020. [...] Telemetry data from these devices showed that command line access and usage was consistent with vulnerability research and exploit development."
The "kernel implant"
After this "advanced telemetry" provided initial evidence, Sophos developed a special "kernel implant" that allowed even more advanced monitoring and collection of arbitrary files without the system owner having a chance to detect it:
"April 23 - May 10, 2020: Forward Deployment Tooling
[...] X-Ops developed a specialized kernel implant that could be deployed on devices that Sophos knew with high probability were controlled by groups conducting malicious exploit research. The tool enabled remote collection of files and logs without visible userland artifacts."
They then installed this monitoring module on systems that they were sufficiently sure were being used for malicious purposes – Sophos speaks of "high confidence", but does not qualify this further. This happened for the first time, without the knowledge or consent of the owner, on July 9, 2020, on a system that Sophos had identified as a test object of the perpetrators via the telemetry data, among other things. Sophos does not explain how it specifically installed this kernel extension on individual systems. But in the following years, Sophos installed this kernel rootkit on other systems that they had classified as suspicious. I have not yet received an answer to my questions to Sophos about the implementation and scope of these activities.
Successful protection measures
In any case, Sophos has had a number of successes with this approach, which the manufacturer documents in detail in its timeline. According to this, they were able to identify a Chinese research group that apparently specifically tracked down security vulnerabilities in Sophos appliances and developed exploits for them. These were then later used by Chinese attacker groups such as Volt Typhoon, APT31 and APT41/Winnti to break into the networks of companies and organizations. Sophos also discovered several rootkits, including a prototype UEFI bootkit that could embed itself firmly in the firmware of a compromised device, but has not yet been seen in the wild.
Sophos used the findings to detect attacks at an early stage, patch systems or take preventive measures to protect against the attack techniques found. The Sophos specialists combine the information from the investigation of real incidents (incident response) and that from the extended monitoring of the hackers. However, it is not clear from the description exactly where the knowledge gained from the extended telemetry and the kernel implant made this possible in the first place. Sophos has not yet responded to my inquiries about the unclear points.
Forward defense
The perpetrators identified by Sophos appear to be Chinese security researchers in Chengdu. They were probably specifically investigating Sophos security appliances and had a number of test systems in operation, for which they used either test licenses or regular licenses purchased from third parties. In several cases, they apparently provided the manufacturer with bug reports, which Sophos even rewarded with a bug bounty in at least one case. Sophos gives no indication that the researchers themselves carried out attacks on third parties. Instead, the manufacturer suspects that they shared their findings with government agencies, as required by Chinese law. How the information and tools then ended up in the hands of the actual attackers remains unclear.
Sophos thus presents itself as a pioneer in the fight against state attackers and cybercrime. US media quote the security provider with statements in which it sees itself as a pioneer and role model for the entire industry. And considering the results achieved, there are certainly advocates who are celebrating this action and calling for more of it. In the fight against cybercrime and APT attacks, they see this as an acceptable forward defense. I'm not so convinced – on the contrary.
Customers spied on
I see it more like this: a manufacturer has collected data from its customers' IT systems that was not used to improve them, but explicitly to detect suspicious activity. The collection of necessary telemetry data to improve the systems only served as a front for mass surveillance without cause. In specific cases of suspicion, the manufacturer then even installed special surveillance software without the knowledge of the customers and against their presumed will, which is also capable of exfiltrating any files. This is normally called malware, the hotfixes were Trojans, the kernel implanted a rootkit and the procedure corresponds to that of cybercrime gangs and state attackers.
But here it's supposed to be okay because it was against the bad guys™. I ask myself: Who exactly is allowed to do this? Every manufacturer – including Facebook/Meta and Huawei? Or just some? For what purposes exactly? Is this also appropriate to take action against pirates, for example? Only those in China? Or perhaps also in Europe – at least in the east? Who decides in individual cases whether this is legitimate? Sophos does not even begin to discuss any of this. They obviously don't see any problems and intend to continue in this way.
Videos by heise
Real protection is different
I'm not a lawyer and I don't want to make a judgment on whether this procedure violates any laws. At least at first glance, no personal data was involved and Sophos lawyers have apparently approved the procedure. Perhaps also because the Chinese researchers are unlikely to take legal action. However, I would no longer use a manufacturer's software if they were to claim the right to decide what they can do with my IT systems without any supervisory authority – and even celebrate it.
I would much rather welcome it if the appliance manufacturers – and especially those in the security sector – would finally do their homework when it comes to security. Whether Sophos, Ivanti, Fortinet, Cisco or Palo Alto: With every new zero-day exploit, it becomes more obvious that your appliances do not even meet basic security requirements. Let alone that they meet the high standards that firewalls and VPN gateways should actually have to meet. You should step up to the plate and present a plan on how you intend to finally clean things up thoroughly instead of just patching up the Zero-Day that has just appeared.
Note: This text was originally written as part of my exclusive newsletter for heise security PRO, which provides security managers with a weekly overview of important security topics.
(ju)
