We'd love to hear about it! Click here to go to the product suggestion community
We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
Both the admin and USER portals were vulnerable. Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.
In reply to AlexRomp:
right. so we need to reset all local vpn users? god damm.
In reply to Hayden Kirk:
Yep. Most of ours were AD auth, but we had a few that used local accounts. We reset them anyway even though the users also used MFA.
Hi Hayden Kirk
We sincerely regret any inconvenience this has caused.
We’ve created this KBA for our customers that provides the recommended actions to fully remediate this issue: https://community.sophos.com/kb/en-us/135412
We will continue to update this KBA as new information becomes available.
Seems to us that at the moment there's a single local user, Sophos advised the system could have been compromised ...
I look at this:
Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 18.104.22.168 (a Sophos property which will eliminate the unauthorized traffic):
And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .
Seems anormal to me. Did XG leaked from WAN to make it to our desktops ??????
Please a quick response.
Also, is this normal ????
Pinging sophosproductupdate.com [127.0.0.1] with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
There's no entry in the host file for sure. How this could resolve to local ???
In reply to Big_Buck:
Because its public A record has been set to 127.0.0.1.
Other IP you mentioned is from godaddys shared hosting used by numerous of websites
In reply to Kimmo Rieskaniemi:
Ok. But why on earth these DNS record are still valid after 4 days ? Shouldn't Sophos make sure they are disabled ?
Could it be usefull in anyway a public record be 127.0.0.1 ? If not, how come it's allowed ?
My thought are that Sophos reported that malicious domain and they changed DNS record to 127.0.0.1 as band-aid fix until domain is taken down.
In reply to FloSupport:
what are the IOCs? we have one or two XGs, where the exploit was successful. Are there any more informations at the moment? In the KB for this issue are to less informations about the attack and the impacts.
See the following (file / certificate artifacts and entries present in the Postgres database): community.sophos.com/.../436088
Also, the IOCs which were present on our devices are available on OTX at otx.alienvault.com/.../5ea58d525c575eda9f1e5c9c.
In reply to 4ng3er:
We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.
Appears that our XG firewall hit sophosfirewallupdate.com on April 22 twice, then April 23 four times.
In reply to wineoh:
After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.
I am astonished how basic that attack was. And yet going as forward as a letter at the post office. I’m also astonished how easy, apparently, it is to modify and create OS files. Nothing seems locked.
We have no Admin or Users access from WAN. That seems to matter not.
Many months ago I wrote my concerns Sophos were not using TPM modules. Infineon TPM 2.0 cost just $19. Bit locker anyone ?
That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ? Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?