We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
I am astonished how basic that attack was. And yet going as forward as a letter at the post office. I’m also astonished how easy, apparently, it is to modify and create OS files. Nothing seems locked.
We have no Admin or Users access from WAN. That seems to matter not.
Many months ago I wrote my concerns Sophos were not using TPM modules. Infineon TPM 2.0 cost just $19. Bit locker anyone ?
That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ? Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?
Big_Buck said:Bit locker anyone ?
An encrypted volume wouldn't have changed anything in this situation.
We do not know for sure yet. Were they able to tamper the BIOS (yes not the UEFI) ? Or tamper the boot volume ?
A TPM could be used for other things than just BitLocker "like" behaviour.
I remain stunned how basic this attack is and yet succeeded.
I still have no answers why some of my desktops (with Sophos End Point) were contacting many of those hacked WEB sites listed by Sophos.
I think they got a big enough black eye so not going to beat up on them any more and frankly I was glad to see that they tackled the problem head on instead of denying it or saying it may have happened or could have happened in very small deployments.
Having said that, the hackers were running shell scripts, modifying permissions on files, creating modifying sql tables, and modifying services on a firewall. There is no excuse for this kind of pwnage. A complete root level access through user portal? I always turn off ACLs on my WAN and turn off unnecessary services but how many people simply leave everything default specially in home deployments? This relaxed behavior of leaving everything open during initial firewall setup when running the wizard, running all services even when the services are not being used, and exposing management and user portals to the WAN interface by default has finally bit them and possibly tarnished their reputation in the near future.
How this got past QA and usual hardening against scripts kiddies would give nightmares to any software developer but dropping bad MR update to XG and then to SG and then getting fully pwned by hackers all in the same month should give sophos a long pause in their whole outlook on where they want to go from here.
This "New SQL injection attack" ... Anyone is aware if it was used against anything else somewhere ?
XG is not the only thing using SQL after all.
I doubt it. SQL server on XG is running with limited rights, however it has rights to probably write to certain directories.and of course modify tables.
How hackers were able to chmod scripts in tmp directory and then download additional files indicates a more sofisticated hack. The rights escalation is what’s so concerning and wasn’t addressed in sophos’ kB article.
But if that new "SQL Injection" attack was specific to XG, why Sophos would apply for a CVE ??? Once they had the admin access, whatever firewalls, damages becomes most likely possible. I understand it's the SQL injection that first gave admin access. Or kind of.
I'm still thinking our attack was from inside ... Both WAN access were disabled.
I would bet an arm and a leg it was done tru a virus from an email. Which, in our case, would mean Microsoft Anti-Virus, Symantec Anti-Virus and two layers of Sophos Anti-Virus failed.
They didn't have to create a CVE but as a security vendor that has since patched the problem, they were being responsible. Someone else probably will create a CVE even if they didn't. I am pretty sure the attack is XG specific only but CVE will have more details.
What did your firewall say after it was patched. Mine says "Hotfix applied for SQL Injection. Your device was NOT compromised." My XG is in a DMZ behind pfsense so had no external access to it in addition to disabled ACLs for WAN. Your clients being attacked is a mystery to me.
If you refering to IP you posted earlier (screenshot fom xg logs) then let me explain why you see those as early as 4th april. When malicious domains were reported by sophos hosting company (godaddy) parked that domain and when parked dns record is set to godaddys shared hosting IP. As this ip hosts millions of websites it is most likely your users accessed some legit website under this same IP. So you can sleep your nights calmly.
If there are traffic to following IPs:
Then you should contact sophos directly.
Not you, but Sophos has or will open a CVE. The question was if Sophos opens a CVE, it probably means the "new Ragnarok SQL injection" attack concerns whatever could be tempered with SQL injection. Meaning a lot of devices.
Also. Access was opt out on WAN / LAN / and everything on our firewalls. It was just allowed via ACL to 1 console computer internaly on one dedicated subnet. The only thing allowed on WAN is one VPN between both firewalls ...
They must have attack firewalls tru a mecanism yet to be published.
Nothing in our logs concerning any of those two adresses.