On 22 April 2020, Sophos received a report stating that customers using Sophos XG Firewalls – both the virtual as well as the physical version – were actively attacked using a zero-day exploit.
If you are already caught up on what this zero-day can potentially do to your firewalls, you might want to scan your company for free with Autobahn to find any exposed – or worse, vulnerable – Sophos Firewalls.
How does the hack work in the wild?
This attack consists of multiple Linux shell scripts and is highly orchestrated. It starts with the utilization of a zero-day SQL injection exploit. This zero-day allows malicious actors to include a command into a database table on a targeted XG Firewall, in other words to achieve remote code execution and gain control of the device. The final payload of the attack is the Asnarok trojan, tasked to steal data, for example all local users, hashed passwords, and accounts used for remote access. This is the current known use-case, but in the future this might also be used as an entry point into the internal network.
How do I know if I am vulnerable and what can I do about it?
This vulnerability affects systems that are configured with either the administration interface (the HTTPS admin service) or the user portal exposed to the WAN zone. These interfaces typically sit on port 4444 or 443.
By exploiting this zero-day SQL-injection vulnerability, malicious hackers have access to sensitive data from the firewall. Luckily, according to Sophos, this does not include LDAP and Active Directory services.
It is important to ensure that Firewall Management Interfaces are never exposed to the Internet. With Autobahn, you will be able to check whether your security posture may be vulnerable to this new issue. Autobahn lists exposed Sophos Firewall devices (alongside many other possible hacking issues), providing you a list of devices to patch and check for potential vulnerabilities.
What if my devices are vulnerable?
First, install the latest patch for your Sophos firewalls.
Then reset a few things in case the firewall was hacked before you installed the patch:
Even though passwords were hashed, a password reset for accounts where credentials may have been reused is highly recommended. In addition, even after applying Sophos’ hotfix and performing the remediation steps, an alert may continue to be shown in the management interface.
Subscribe now to be be posted about the latest developments and updates.