KBA 135412 - What does Compromised mean in this fix

What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?

  • In reply to FloSupport:

    Is the file cccopcode.log associated with this attack?

    This file had the same timestamp as the original attack and contains sensitive information. I can't see any reference to it in the SophosLabs article.

  • In reply to FloSupport:

    An information that the investigation lacks is "how could the SQL-injection be exploited at all" meanig by which service could it be exploited?

    At our customers "UserPortal" is the only service reachable from the internet to be able to configure SSL-VPN for external workers. And that only because there is no possibility to centrally download the config files from WebAdmin like we were able to with SGs.

    The only other possibility in our installations could be WebAdmin or SSH, which are limited to our public ip address (both) and Sophos CFM (HTTPS).

  • In reply to kerobra:

    Well.... the one device which was affected was connected to Sophos CFM... the other device was stand alone, never connected to Sophos CFM and was not affected. Is this perhaps an indication? Was the Sophos CFM first attacked and then the ip addresses were stolen? :O

    Just a hypothesis! ;)

    Tonight I will change the fixed IP address and the reverse DNS lookup entry of the affected internet connection. WebAdmin an UserPortal are now restricted by ACLs (whitelisting)... local passwords (IPSec tunnel PSK, local users and Active Directory Auth users) were changed. Now I'm thinking about to destroy the OTP hardware token.... surely the token seeds are also in the database... Sophos Authenticator App entry deleted and new set up... no big deal.

     

    Sorry, the confidence is deeply disturbed.

  • In reply to Michael Großmann:

    Hi  

    We sincerely regret any inconvenience this has caused. Please take the preventive measure you have listed in your post. After analyzing the components and intent of the attack we published an article, “’Asnarok’ Trojan targets firewalls” to share our current understanding of the malware, which can be found here: https://news.sophos.com/en-us/2020/04/26/asnarok/

  • In reply to FloSupport:

    What is the restart of the XG Firewall for as descripted in the steps to remmediate this issue completely?

  • Hello,

    is there any chance to get the exact timestamp for the attack? Like Timestamps for compromised files or so?

  • In reply to 4ng3er:

    Hi  

    After analyzing the components and intent of the attack we published an article, “’Asnarok’ Trojan targets firewalls” to share our current understanding of the malware, which can be found here: https://news.sophos.com/en-us/2020/04/26/asnarok/

    Timeline of attack is available - https://community.sophos.com/kb/en-us/135412#timeline%20of%20attack

  • In reply to kerobra:

    Hi  

    The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.

    More info available in the KBA.

  • In reply to FloSupport:

    Glad I followed the steps to secure the system and changed passwords. Today I got the first messages that somebody tried to get access with the local accounts...

  • In reply to Jelle:

    Access to your local accounts how? Via External Access to the User Portal/WebAdmin?