Andrew Brandt

that they are specifically interested in taking a closer look at.

So these machines that they believe are being operated by threat actors, where they're doing these commands that are way outside of the boundaries of normal firewall behavior.

And these things are capable of doing more than just sending log entries.

They're able to pick arbitrary fields from the file system on the firewall and send those files back.

So that was how, in some cases, the team started throwing these kernel implants onto some of these firewalls that we could see were being used to do this experimentation.

And they were retrieving all sorts of very malicious and pretty dangerous files that were being dropped on these machines by the people who were developing these exploits and were testing them out in advance of attacks.

Wow, that is wild.

Is that going too far?

To call it malware is kind of a misnomer.

I mean, I'm not going to defend the overall argument here, but I will just say that there is nothing malicious about wanting to know what someone who is doing malicious things with your product is doing.

You know, it's kind of an ethical gray area.

Now, just being the, you know, person who's telling this story of what happened, uh,

We were observing in the world, not just Sophos firewalls, but every firewall vendor getting hit with zero days.

Their customers being attacked in various ways.

And there being no way to resolve this.

And certainly no way to anticipate it.

Now, whether or not other companies are doing the same thing,

No one else has disclosed that, but I don't think it's outside the realm of possibility to think that maybe some of them were.

Yeah, well, there was SophosFirewallUpdate.com and SophosProductUpdate.com which were registered at different registrars and hosted in different IP spaces.

But because they both had Sophos in the name and they were part of this attack, Sophos went to ICANN and did the domain name seizure process on those domains.