The hotfix includes a message on the XG management interface to indicate whether or not a specific XG Firewall was affected by this attack, Sophos said.Ĭustomers with uncompromised XG Firewall devices do not need to take any additional steps, according to Sophos. The hotfix prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack, according to Sophos. After determining the components and impact of the attack, Sophos on Saturday deployed a hotfix that patched the SQL injection vulnerability. The company said it began an investigation immediately after the attack that included retrieving and analyzing artifacts. The attack targeted Sophos products and was apparently intended to steal sensitive information from the firewall, the company said. The execution of the attack required significant orchestration, relying on a chain of Linux shell scripts that eventually downloaded malware compiled for a firewall operating system, according to the company. The company said it has not discovered any evidence that data had been successfully exfiltrated. Sophos has named the zero-day malware used in the attack Asnarok, and said the coordinated attack was carried out by an unknown adversary.
SOPHOS XG RELEASE SERIAL
The malware could have also gained access to the firewall’s license and serial number, a list of the email addresses that were stored on the device, and a list of the user IDs permitted to use the firewall, according to a blog post Sunday. The exposed data included usernames and hashed passwords for local device administrators, user portal accounts, and accounts used for remote access, the company said. “It was designed to exfiltrate XG Firewall-resident data.” “The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices,” Sophos wrote in an advisory updated today.
The attack affected multiple customers, and was aimed at systems with either the administrative service or the user portal exposed to the internet, according to Sophos. The Abingdon, U.K.-based platform security vendor said it learned late Wednesday of an attack against its physical and virtual XG Firewall units when a suspicious field value was discovered inside the device’s management interface. A previously unknown SQL injection vulnerability in the Sophos XG Firewall gave hackers access to customers’ local usernames and hashed passwords for several days.
0 kommentar(er)
