How was the SQL injection done? We blocked off admin login

Question

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?

FloSupport · Accepted Answer

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, &ldquo;Asnarok&rdquo; Trojan targets firewalls , to share its current understanding of the malware.

AlexRomp · Answer

Both the admin and USER portals were vulnerable. Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

JosefBergmann · Answer

Hi Michal, 
 I've investigated how IPsec secrets (PSK) are stored in the XG firewall and found out they are stored in plain text . For more details you can contact me via PM. 
 According to the Sophos report the hackers exfiltrated SQL-data for VPN users & policies, but they don't exactly describe what entries, so in my opinion all secrets on the firewall are compromised .

JosefBergmann · Answer

Hi Paul, 
 yes passwords from local user accounts are hashed (with an algorithm I can't identify), but all preshared secrets (PSK) used in IPsec VPN-connections (also L2TP/IPsec) are stored plain text in a table on the internal sql-server (no hash, no encryption). I've checked this on the latest (stable) 17.5.11 firmware. 
 So I highly recommend to change at least also all IPsec secrets. In fact the hole system was compromised, so everything secret should be changed (passwords, PSKs, certificates, OTP-seeds, ...)