Hackers abuse Sophos Firewall Zero Day Vulnerability
They became aware of the vulnerability on Wednesday after one of their customers reported “a suspicious field value visible in the management interface.” And they released an update containing the patch for the vulnerability.
The Vulnerability- SQL INJECTION BUG
“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said.
The miscreant hackers attacked Sophos XG Firewall devices whose administration or user portal control panel were exposed on the internet. The hackers used the SQL Injection Vulnerability in XG firewall devices and downloaded a play-load on the device to steal data like passwords and usernames for the firewall device admin, portal admins, and user accounts for remote access, the firewall’s license and serial number.
Sophos says that during its investigation, it did not find any proof that the hackers accessed anything beyond the firewall as well as no devices were accessed by the malware. They named the malware Asnarok.
Patches already updated in user devices
The company already pushed the patches in an automatic update in all XG Firewall devices that had the auto-update feature enabled. “This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said. The update also shows a message to the user if their device was compromised or not in their Firewall control panel.
Sophos recommends some steps to take for the companies who had their device hacked mainly focused on resetting passwords and reboots:
- Reset portal and device administrator accounts.
- Reboot the infected firewall device.
- Reset all passwords of user accounts.
“Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature”, writes zdnet.