Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

How was the SQL injection done? We blocked off admin login

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?

  • In reply to Big_Buck:

    I have logs in my Graylog server from 3/28 & 3/29 from the "Alternate Attack Host".  All the IPs they hit were NATed to web servers internally, so I don't see how they would have accessed the User Portal on the 3 IPs I have events for.  It DNATs the 443/tcp traffic to my web servers.  Somehow the dashboard alert still states that I was compromised??

  • In reply to NateP:

    By default the user/admin ports aren't on tcp/443.  Did you have a user/admin port allowed to the WAN zone on the Device Access page?

  • In reply to Big_Buck:

    Big_Buck
    Bit locker anyone ?

    An encrypted volume wouldn't have changed anything in this situation.

  • In reply to AlexRomp:

    AlexRomp

    By default the user/admin ports aren't on tcp/443.  Did you have a user/admin port allowed to the WAN zone on the Device Access page?

     

    Want to double check that? ...because my freshly installed Lab XG certainly is configured with 443, while it may not be configured under Device Access tab it certainly is on 443.  By default User Portal listens on 443.  I don't have my admin page exposed to the WAN, only had (now closed) the User Portal.

     

     

    My WAN Network is a /28, all three IPs they hit have DNAT rules to web/mail servers, so those override the ability for User Portal to be accessed.

  • In reply to NateP:

    On my v18 tech bench I had userportal on 443 BUT had RADIUS authentication enabled for it. FW reported as not compromised. Related or not. Maybe this FW were never targeted.

  • In reply to Kimmo Rieskaniemi:

    Based on patterns that we've seen in devices that were compromised vs weren't, we are speculating that a list of known open Sophos devices was compiled by the attackers in advance from a site like Shodan which is why they were able to compromise so many devices in a short period of time.  If your firewall wasn't online or accessible via WAN when this list was compiled it may not have been included.

  • In reply to AlexRomp:

    We do not know for sure yet.  Were they able to tamper the BIOS (yes not the UEFI) ?  Or tamper the boot volume ?

    A TPM could be used for other things than just BitLocker "like" behaviour.

    I remain stunned how basic this attack is and yet succeeded.

    I still have no answers why some of my desktops (with Sophos End Point) were contacting many of those hacked WEB sites listed by Sophos.

    Paul Jr

  • In reply to Big_Buck:

    I think they got a big enough black eye so not going to beat up on them any more and frankly I was glad to see that they tackled the problem head on instead of denying it or saying it may have happened or could have happened in very small deployments.

    Having said that, the hackers were running shell scripts, modifying permissions on files, creating modifying sql tables, and modifying services on a firewall. There is no excuse for this kind of pwnage. A complete root level access through user portal?  I always turn off ACLs on my WAN and turn off unnecessary services but how many people simply leave everything default specially in home deployments? This relaxed behavior of leaving everything open during initial firewall setup when running the wizard, running all services even when the services are not being used, and exposing management and user portals to the WAN interface by default has finally bit them and possibly tarnished their reputation in the near future. 

    How this got past QA and usual hardening against scripts kiddies would give nightmares to any software developer but dropping bad MR update to XG and then to SG and then getting fully pwned by hackers all in the same month should give sophos a long pause in their whole outlook on where they want to go from here.

  • In reply to Billybob:

    Hello

    This "New SQL injection attack" ...  Anyone is aware if it was used against anything else somewhere ?

    XG is not the only thing using SQL after all.

    Paul Jr

  • In reply to Big_Buck:

    I doubt it. SQL server on XG is running with limited rights, however it has rights to probably write to certain directories.and of course modify tables.

    How hackers were able to chmod scripts in tmp directory  and then download additional files indicates a more sofisticated hack. The rights escalation is what’s so concerning and wasn’t addressed in sophos’ kB article.  

  • In reply to Billybob:

    But if that new "SQL Injection" attack was specific to XG, why Sophos would apply for a CVE ???  Once they had the admin access, whatever firewalls, damages becomes most likely possible.  I understand it's the SQL injection that first gave admin access.  Or kind of.

    I'm still thinking our attack was from inside ...  Both WAN access were disabled.

    I would bet an arm and a leg it was done tru a virus from an email.  Which, in our case, would mean Microsoft Anti-Virus, Symantec Anti-Virus and two layers of Sophos Anti-Virus failed.

    Paul Jr

  • In reply to Big_Buck:

    They didn't have to create a CVE but as a security vendor that has since patched the problem, they were being responsible. Someone else probably will create a CVE even if they didn't. I am pretty sure the attack is XG specific only but CVE will have more details.

    What did your firewall say after it was patched. Mine says "Hotfix applied for SQL Injection. Your device was NOT compromised." My XG is in a DMZ behind pfsense so had no external access to it in addition to disabled ACLs for WAN. Your clients being attacked is a mystery to me.

  • In reply to Big_Buck:

    If you refering to IP you posted earlier (screenshot fom xg logs) then let me explain why you see those as early as 4th april. When malicious domains were reported by sophos hosting company (godaddy) parked that domain and when parked dns record is set to godaddys shared hosting IP. As this ip hosts millions of websites it is most likely your users accessed some legit website under this same IP. So you can sleep your nights calmly.

    If there are traffic to following IPs:

    43.229.55.44

    38.27.99.69

    Then you should contact sophos directly.

  • In reply to Billybob:

    Hello

    Not you, but Sophos has or will open a CVE.  The question was if Sophos opens a CVE, it probably means the "new Ragnarok SQL injection" attack concerns whatever could be tempered with SQL injection.  Meaning a lot of devices.

    Also.  Access was opt out on WAN / LAN / and everything on our firewalls.  It was just allowed via ACL to 1 console computer internaly on one dedicated subnet.  The only thing allowed on WAN is one VPN between both firewalls ...  

    They must have attack firewalls tru a mecanism yet to be published.

    Paul Jr

  • In reply to Kimmo Rieskaniemi:

    Nothing in our logs concerning any of those two adresses.

    Paul Jr