Posted on April 26, 2020 at 2:48 PM
Sophos says Hackers have Compromised its Firewall Zero-Day
A cybersecurity firm Sophos has joined the long queue of victims who have had their networks compromised by hackers.
Yesterday, the company published a security update, which was necessary to patch its XG enterprise product zero-day vulnerability. It said the firewall product has been the subject of abuse by hackers.
Sophos revealed that it first discovered the zero-day vulnerability on Wednesday, after receiving an alert from one of its users. According to the user, the cybersecurity firm’s management interface was infected by a suspicious field value.
During the investigation, Sophos realized that the suspicious field value was not an error but an actual attack on its server.
Hacker stole passwords by abusing an SQL injection bug
Sophos revealed that the hackers gained access to expose XG devices using SQL injection vulnerabilities.
They infiltrated the Sophos XG firewall systems and exposed the User Portal control panel, as well as the firm’s HTTPS service.
Sophos also reiterated that the cybercriminals took advantage of the SQL injection weakness and downloaded a payroll on the system. After downloading the payroll, it stole the files from the XG firewall.
According to the security firm, the compromised data included hashed passwords and usernames of user accounts used for accessing the device, firewall portal admins, as well as for the firewall device.
Apart from these infected details, customers’ passwords for authentication systems such as LDAP or AD were also compromised.
The security firm pointed out that while investigating, no evidence suggests the attackers accessed the XG firewall devices using the stolen passwords. It also did not find out any infringements on customers’ internal networks or compromise beyond the firewall.
Sophos said updates have been sent to customers
The UK security firm, renowned for its popular antivirus products, disclosed that it has already sent the update to its customers to patch up the vulnerabilities. The automatic update will provide patches to all the XG firewalls that enable the auto-update feature.
Sophos said with the updated server, there won’t be further exploitations on the device. It said the hotfix fix prevented the XG firewall from any access to the attacker infrastructure and stopped further infiltration of the devices.
“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, the security firm said.
In addition to the updates, a unique box will be added to the XG firewall control panel, which will inform the customers whether their device has been infiltrated.
Recommendations for affected customers
Sophos has also recommended solutions for customers who had their devices hacked. The processes included rebooting their devices and resetting their passwords. It said the hackers will no longer have access to the devices if the companies reboot their devices and reset the passwords.
Even though the compromised records contain rehashed accounts, Sophos is recommending that customers should reset passwords for those accounts where the XG account could have been utilized.
Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
Furthermore, the security firm recommended that companies who don’t need the internet-facing ports feature should disable the firewall administration interface. It has further provided instructions to disable this interface on its official report on the hacking incident.
Sophos is a security software and hardware firm which develops top security products for unified threat management, mobile security, email security, network security, encryption, and communication endpoint.
The company recently introduced its new security product Sophos Intercept X, which combines four important critical components to provide security to its customers.
The recent attack on its systems shows the level hackers are going to infiltrate companies. And if the cybercriminals can compromise tech companies like Facebook and Twitter, and now a cyber threat security company, it shows they are capable of compromising any system.
As a result, organizations have been advised to beef up their security systems and apply updates as quickly as possible to keep their network and data secure and protected.