This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How was the SQL injection done? We blocked off admin login

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?



This thread was automatically locked due to age.
  • Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

  • right. so we need to reset all local vpn users? god damm.

  • Yep.  Most of ours were AD auth, but we had a few that used local accounts.  We reset them anyway even though the users also used MFA.  

  • Hi  

    We sincerely regret any inconvenience this has caused.

    We’ve created this KBA for our customers that provides the recommended actions to fully remediate this issue: https://community.sophos.com/kb/en-us/135412 

    We will continue to update this KBA as new information becomes available.

     


    Florentino
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • Seems to us that at the moment there's a single local user, Sophos advised the system could have been compromised ...

    Paul Jr

  • I look at this:

    Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

    • sophostraining.org
    • sophosproductupdate.com
    • sophosenterprisecenter.com
    • sophoswarehouse.com
    • Ragnarokfromasgard.com
    • sophosfirewallupdate.com
      For assistance on adding these domains as DNS host entries, please refer to these instructions.

    And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .

    Seems anormal to me.  Did XG leaked from WAN to make it to our desktops ??????

    Please a quick response.

    Also, is this normal ????

    C:\ping www.sophosproductupdate.com

    Pinging sophosproductupdate.com [127.0.0.1] with 32 bytes of data:
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    There's no entry in the host file for sure.  How this could resolve to local ???

    Paul Jr

     

  • Because its public A record has been set to 127.0.0.1.

    Other IP you mentioned is from godaddys shared hosting used by numerous of websites

  • Ok.  But why on earth these DNS record are still valid after 4 days ?  Shouldn't Sophos make sure they are disabled ?

    Could it be usefull in anyway a public record be 127.0.0.1 ?  If not, how come it's allowed ?

    Paul Jr

  • My thought are that Sophos reported that malicious domain and they changed DNS record to 127.0.0.1 as band-aid fix until domain is taken down.

  • Hi Flo,

    what are the IOCs? we have one or two XGs, where the exploit was successful. Are there any more informations at the moment? In the KB for this issue are to less informations about the attack and the impacts.