We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
Both the admin and USER portals were vulnerable. Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.
right. so we need to reset all local vpn users? god damm.
Yep. Most of ours were AD auth, but we had a few that used local accounts. We reset them anyway even though the users also used MFA.
Hi Hayden Kirk
We sincerely regret any inconvenience this has caused.
We’ve created this KBA for our customers that provides the recommended actions to fully remediate this issue: https://community.sophos.com/kb/en-us/135412
We will continue to update this KBA as new information becomes available.
Hi Flo,
what are the IOCs? we have one or two XGs, where the exploit was successful. Are there any more informations at the moment? In the KB for this issue are to less informations about the attack and the impacts.
Hi 4ng3er
We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.
Appears that our XG firewall hit sophosfirewallupdate.com on April 22 twice, then April 23 four times.
After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.