A zero-day vulnerability in XG enterprise firewall product of Sophos was found to be exploited in the wild by hackers and the company released an emergency patch on Saturday.
Cyber-security firm Sophos became aware of the zero day on Wednesday after one of its customers reported about seeing “a suspicious field value visible in the management interface.”
Sophos after conducting investigation about the report, determined that it was an active attack and not an error in its product.
The attack made use of a previously unknown SQL injection vulnerability in order to attain access to exposed XG devices.
The attackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet. They used the SQL injection vulnerability to download a payload on the device which the stole files from the XG Firewall.
Stolen data might include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.
However, the company assured that the passwords for customers’ other external authentication systems, such as AD or LDAP, were not affected.
Also, they did not find any evidence of using the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.
Sophos, known for its antivirus product issued an automatic update to patch all XG Firewalls that have the auto-update feature enabled.
This hotfix removed the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and wiped up any leftovers from the attack.
Besides, the security update will also add a special box in the XG Firewall control panel to allow device owners to know if their device has been compromised.
Sophos recommends a series of steps for those companies whose devices has been hacked, which include password resets and device reboots:
- Reset portal administrator and device administrator accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts
- Even though the passwords were hashed, it is advised that passwords are reset for any accounts where the XG credentials might have been reused.
Sophos also recommends the affected companies to disable the firewall’s administration interfaces on the internet-facing ports if that feature is not required.