We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
See the following (file / certificate artifacts and entries present in the Postgres database): community.sophos.com/.../436088
Also, the IOCs which were present on our devices are available on OTX at otx.alienvault.com/.../5ea58d525c575eda9f1e5c9c.
We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.
Appears that our XG firewall hit sophosfirewallupdate.com on April 22 twice, then April 23 four times.
After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.
I am astonished how basic that attack was. And yet going as forward as a letter at the post office. I’m also astonished how easy, apparently, it is to modify and create OS files. Nothing seems locked.
We have no Admin or Users access from WAN. That seems to matter not.
Many months ago I wrote my concerns Sophos were not using TPM modules. Infineon TPM 2.0 cost just $19. Bit locker anyone ?
That said, I’m asking that question again, why some of my desktops were accessing some of those hacker’s WEB site as early as the 4th of April ? Doesn’t this indicates hackers were able to get tru the firewall and hackers were attacking XG much earlier than the 22nd of April ?
I have logs in my Graylog server from 3/28 & 3/29 from the "Alternate Attack Host". All the IPs they hit were NATed to web servers internally, so I don't see how they would have accessed the User Portal on the 3 IPs I have events for. It DNATs the 443/tcp traffic to my web servers. Somehow the dashboard alert still states that I was compromised??
By default the user/admin ports aren't on tcp/443. Did you have a user/admin port allowed to the WAN zone on the Device Access page?
Big_Buck said:Bit locker anyone ?
An encrypted volume wouldn't have changed anything in this situation.
Want to double check that? ...because my freshly installed Lab XG certainly is configured with 443, while it may not be configured under Device Access tab it certainly is on 443. By default User Portal listens on 443. I don't have my admin page exposed to the WAN, only had (now closed) the User Portal.
My WAN Network is a /28, all three IPs they hit have DNAT rules to web/mail servers, so those override the ability for User Portal to be accessed.
On my v18 tech bench I had userportal on 443 BUT had RADIUS authentication enabled for it. FW reported as not compromised. Related or not. Maybe this FW were never targeted.