Hackers use a zero-day vulnerability to steal Sophos XG Firewall accounts for three days

A screenshot of the Sophos XG Firewall control system was not compromised during the attack, but the patch was installed anyway.

According to the information from the corporate blog of Sophos, the developer, and manufacturer of next-generation physical and virtual firewalls, on April 22, 2020, an unidentified group of hackers launched an attack on XG Firewall devices around the world using a zero-day vulnerability. 

The purpose of the attack, which could affect many physical and virtual XG Firewall devices, was to steal administrator and user accounts. 

The attack was carried out by introducing SQL injection into the security systems of Sophos devices, in which firewall administrators had previously configured access to the control system (via HTTPS) or a user portal from an external network (WAN). 

Moreover, at present, Sophos clients have increasingly begun to use this option for remote administration and monitoring of their information security systems from home.

Sophos experts, after receiving information about the first attempts to exploit the vulnerability, began an investigation of the incident. 

As a result, only on April 25, 2020, a software patch was created, which the company began immediately distributing to all running XG Firewalls with the “Allow automatic installation of hotfixes” option enabled.

Timeline of reaction to attack (UTC time is indicated):

  • 2020-04-22 16:00 - the attack began;
  • 2020-04-22 20:29 - Sophos receives messages about suspicious activity recorded in the control interfaces of some XG Firewall;
  • 2020-04-22 22:03 - the incident was recorded, it was taken up by the cybersecurity group Sophos;
  • 2020-04-22 22:20 - an in-depth examination of the incident began;
  • 2020-04-22 22:44 - SophosLabs blocks suspicious domains detected during the examination of the incident;
  • 2020-04-23 06:30 - Sophos researchers identify attack vectors;
  • 2020-04-23 15:47 - Sophos notifies the user community of initial measures to prevent an attack;
  • 2020-04-23 19:39 - the initial attack vector is identified as an attack using SQL injection;
  • 2020-04-23 21:40 - SophosLabs identifies and blocks additional domains associated with the attack;
  • 2020-04-24 03:00 - telemetry is being updated for all XG firewalls;
  • 2020-04-24 04:20 - Sophos notifies the user community of additional measures to prevent attacks;
  • 2020-04-24 05:00 - the development and testing of the patch has begun, covering the vulnerability used in the attack;
  • 2020-04-25 07:00 - the deployment of the patch has begun;
  • 2020-04-25 22:00 - the deployment of the patch on all XG firewalls with automatic updating enabled is completed.

As an investigation of the attack mechanism showed, attackers using SQL injection were able to access certain XG Firewall configured and download some configuration data from them, including usernames and hashed passwords for local device administrators, administrator accounts and users used for remote access.

Sophos experts also explained that the data and passwords associated with external authentication systems, such as AD or LDAP, were not compromised during the attack. Signs that during the attack the attackers were able to penetrate the local networks behind the XG firewall were not found in the company.

In addition, Sophos experts strongly recommend that XG Firewall device administrators, who might have been compromised during the attack, reset and update all passwords and administrator and user accounts. They also advise disabling access to the control system (via HTTPS) and the user portal from the external network.

Post a Comment

Previous Post Next Post