We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
This thread was automatically locked due to age.
We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
See the following (file / certificate artifacts and entries present in the Postgres database): community.sophos.com/.../436088
Also, the IOCs which were present on our devices are available on OTX at otx.alienvault.com/.../5ea58d525c575eda9f1e5c9c.
Hi 4ng3er
We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.
After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.
I am astonished how basic that attack was. And yet going as forward as a letter at the post office. I’m also astonished how easy, apparently, it is to modify and create OS files. Nothing seems locked.
We have no Admin or Users access from WAN. That seems to matter not.
Many months ago I wrote my concerns Sophos were not using TPM modules. Infineon TPM 2.0 cost just $19. Bit locker anyone ?
That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ? Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?
Paul Jr
I have logs in my Graylog server from 3/28 & 3/29 from the "Alternate Attack Host". All the IPs they hit were NATed to web servers internally, so I don't see how they would have accessed the User Portal on the 3 IPs I have events for. It DNATs the 443/tcp traffic to my web servers. Somehow the dashboard alert still states that I was compromised??
By default the user/admin ports aren't on tcp/443. Did you have a user/admin port allowed to the WAN zone on the Device Access page?
Want to double check that? ...because my freshly installed Lab XG certainly is configured with 443, while it may not be configured under Device Access tab it certainly is on 443. By default User Portal listens on 443. I don't have my admin page exposed to the WAN, only had (now closed) the User Portal.
My WAN Network is a /28, all three IPs they hit have DNAT rules to web/mail servers, so those override the ability for User Portal to be accessed.