How was the SQL injection done? We blocked off admin login

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?

  • Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

  • In reply to AlexRomp:

    right. so we need to reset all local vpn users? god damm.

  • In reply to Hayden Kirk:

    Yep.  Most of ours were AD auth, but we had a few that used local accounts.  We reset them anyway even though the users also used MFA.  

  • In reply to Hayden Kirk:

    Hi  

    We sincerely regret any inconvenience this has caused.

    We’ve created this KBA for our customers that provides the recommended actions to fully remediate this issue: https://community.sophos.com/kb/en-us/135412 

    We will continue to update this KBA as new information becomes available.

     

  • Seems to us that at the moment there's a single local user, Sophos advised the system could have been compromised ...

    Paul Jr

  • I look at this:

    Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

    • sophostraining.org
    • sophosproductupdate.com
    • sophosenterprisecenter.com
    • sophoswarehouse.com
    • Ragnarokfromasgard.com
    • sophosfirewallupdate.com
      For assistance on adding these domains as DNS host entries, please refer to these instructions.

    And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .

    Seems anormal to me.  Did XG leaked from WAN to make it to our desktops ??????

    Please a quick response.

    Also, is this normal ????

    C:\ping www.sophosproductupdate.com

    Pinging sophosproductupdate.com [127.0.0.1] with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    There's no entry in the host file for sure.  How this could resolve to local ???

    Paul Jr

     

  • In reply to Big_Buck:

    Because its public A record has been set to 127.0.0.1.

    Other IP you mentioned is from godaddys shared hosting used by numerous of websites

  • In reply to Kimmo Rieskaniemi:

    Ok.  But why on earth these DNS record are still valid after 4 days ?  Shouldn't Sophos make sure they are disabled ?

    Could it be usefull in anyway a public record be 127.0.0.1 ?  If not, how come it's allowed ?

    Paul Jr

  • In reply to Big_Buck:

    My thought are that Sophos reported that malicious domain and they changed DNS record to 127.0.0.1 as band-aid fix until domain is taken down.

  • In reply to FloSupport:

    Hi Flo,

    what are the IOCs? we have one or two XGs, where the exploit was successful. Are there any more informations at the moment? In the KB for this issue are to less informations about the attack and the impacts.

  • See the following (file / certificate artifacts and entries present in the Postgres database): community.sophos.com/.../436088

    Also, the IOCs which were present on our devices are available on OTX at otx.alienvault.com/.../5ea58d525c575eda9f1e5c9c.

  • In reply to 4ng3er:

    Hi

    We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates. 

  • In reply to FloSupport:

    Appears that our XG firewall hit sophosfirewallupdate.com on April 22 twice, then April 23 four times.

  • In reply to wineoh:

    After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

  • I am astonished how basic that attack was. And yet going as forward as a letter at the post office.  I’m also astonished how easy, apparently, it is to modify and create OS files.  Nothing seems locked.

    We have no Admin or Users access from WAN.  That seems to matter not.

    Many months ago I wrote my concerns Sophos were not using TPM modules.  Infineon TPM 2.0 cost just $19.  Bit locker anyone ?

    That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ?  Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?

    Paul Jr