Andrew Brandt

They kludged together something that got around that hotfix.

The team starts to realize, okay, we need to give these things names because if we're going to be having these

Attacks happen in sequence, in short order.

To just keep straight, we need to come up with names.

So they decide to use the names of locations around the Pacific Rim as the code names for these internal attacks.

So they give this attack a nickname Baja.

It doesn't have anything to do with Mexico.

It's just they just decided that they want to talk about it in the sense of, you know, it's on the Pacific Rim.

which is a region of the world where volcanoes and earthquakes happen, right?

So it's a place of turmoil.

So what the threat actors figured out when they were doing the development of this Baja attack is they watched Sophos and they watched how the hotfix mechanism worked.

And they learned how to...

develop a new exploit, but also they started to develop technology and technique to get around hotfixes.

So they figured out how hotfixes were being deployed on firewalls, and they were slowly starting to turn off features inside the firewall that allow the hotfixes to launch and run and do their fixing.

Now, this time they're putting just regular old web shells on the firewalls.

They start looking back in time at the telemetry that they collected and they discover that this was another bug that someone had submitted a bug bounty for and gotten payout on.

And here it is being used in the wild, like just days after the payout happens.

So this is starting to get to be a pattern.

And the attacks are, you know, widespread.

People are, you know, getting noticed about it.