We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
I am astonished how basic that attack was. And yet going as forward as a letter at the post office. I’m also astonished how easy, apparently, it is to modify and create OS files. Nothing seems locked.
We have no Admin or Users access from WAN. That seems to matter not.
Many months ago I wrote my concerns Sophos were not using TPM modules. Infineon TPM 2.0 cost just $19. Bit locker anyone ?
That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ? Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?
I have logs in my Graylog server from 3/28 & 3/29 from the "Alternate Attack Host". All the IPs they hit were NATed to web servers internally, so I don't see how they would have accessed the User Portal on the 3 IPs I have events for. It DNATs the 443/tcp traffic to my web servers. Somehow the dashboard alert still states that I was compromised??
By default the user/admin ports aren't on tcp/443. Did you have a user/admin port allowed to the WAN zone on the Device Access page?
Want to double check that? ...because my freshly installed Lab XG certainly is configured with 443, while it may not be configured under Device Access tab it certainly is on 443. By default User Portal listens on 443. I don't have my admin page exposed to the WAN, only had (now closed) the User Portal.
My WAN Network is a /28, all three IPs they hit have DNAT rules to web/mail servers, so those override the ability for User Portal to be accessed.
On my v18 tech bench I had userportal on 443 BUT had RADIUS authentication enabled for it. FW reported as not compromised. Related or not. Maybe this FW were never targeted.
Based on patterns that we've seen in devices that were compromised vs weren't, we are speculating that a list of known open Sophos devices was compiled by the attackers in advance from a site like Shodan which is why they were able to compromise so many devices in a short period of time. If your firewall wasn't online or accessible via WAN when this list was compiled it may not have been included.