We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
Both the admin and USER portals were vulnerable. Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.
right. so we need to reset all local vpn users? god damm.
Yep. Most of ours were AD auth, but we had a few that used local accounts. We reset them anyway even though the users also used MFA.
Hi Hayden Kirk
We sincerely regret any inconvenience this has caused.
We’ve created this KBA for our customers that provides the recommended actions to fully remediate this issue: https://community.sophos.com/kb/en-us/135412
We will continue to update this KBA as new information becomes available.
Seems to us that at the moment there's a single local user, Sophos advised the system could have been compromised ...
Paul Jr
I look at this:
Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):
And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .
Seems anormal to me. Did XG leaked from WAN to make it to our desktops ??????
Please a quick response.
Also, is this normal ????
C:\ping www.sophosproductupdate.com
Pinging sophosproductupdate.com [127.0.0.1] with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
There's no entry in the host file for sure. How this could resolve to local ???
Because its public A record has been set to 127.0.0.1.
Other IP you mentioned is from godaddys shared hosting used by numerous of websites
Ok. But why on earth these DNS record are still valid after 4 days ? Shouldn't Sophos make sure they are disabled ?
Could it be usefull in anyway a public record be 127.0.0.1 ? If not, how come it's allowed ?
My thought are that Sophos reported that malicious domain and they changed DNS record to 127.0.0.1 as band-aid fix until domain is taken down.
Hi Flo,
what are the IOCs? we have one or two XGs, where the exploit was successful. Are there any more informations at the moment? In the KB for this issue are to less informations about the attack and the impacts.