 Tom here from Orange Systems. We're going to dive into a recently discovered mailware that is attacking specifically Sophos firewalls But first if you like to learn more about me and my company head over to Lawrence systems comm feel like to hire sure project There's a hires button right at the top if you want to support this channel other ways There's affiliate links down below to get you deals and discounts on products and services We talk about on this channel Which does include links to our shirt and swag store as well as a patreon So you can become a patreon supporter and finally if you like to have a more in-depth discussion about the video You're about to watch or suggestions for other videos head over to forums.laurance systems comm and we can have a discussion When they're free and open community forums. Thank you very much. And let's get to the video all right the Sophos news here. Yes Sophos reporting on Sophos and this is a great thing This is exactly to me security done exactly as it should be in terms of follow-up in terms of mitigation in terms of debrief. So what we have here is the Astonerook I think it's how it's pronounced Trojan targets firewalls. Well, they should have said targets Sophos firewalls That would be more accurate, but doesn't mean it can't Find other flaws and other firewalls now this write-up is Really interesting though. Here is the actual knowledge base article from Sophos now If you have your system in Sophos, please patch it if you have automatic patching turned on it should be fine And this was updated april 27th as in today What happened? Sophos received an insert report on april 22nd So a few days ago regarding xg firewalls with subscription field visible in the management interface Sophos commenced investigation on the incident determined an attack against physical and virtual xg firewall units the attack affected systems with Either administrative interfaces htps admin service or the user portal exposed on the wan zone So if you had either of those configurations That is where the potential from an outside attack or keyed in now. This did not require them to have credentials This was a sequel injection tech that leveraged the ability for them to potentially Exfiltrate data from here and that's where we dive into the debrief here now This is really good here in terms of debrief and this is what I like even though it is by the company As opposed to a third party Sophos clearly has good engineers on the case and breaks down each piece of how the attack began how the attack Of processes through the system So the infection process started when an attacker discovered an exploit a zero-day sql injection with remote code execution vulnerability Which means completely remotely can get into this It does not require any type of credentials It like I said just requires that you have an exposed either user portal or admin portal Which by the way General practice in my opinion is not to do that actually a lot of people's opinion. That's just tom's It is not a good idea to expose management interfaces to the greater internet And this is exactly why and it doesn't just apply to Sophos. This applies to their firewalls as well This exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table Now this is where things get really interesting because they resimulated the attack on their system so they could kind of understand it So the install assay script ran initially ran a number of postgres sql commands to modify And zero values of certain tables in a database one of which normally displays the administrative IP address of the device itself It appears there was an attempt to conceal the attack, but it backfired on some appliances a cell script activity resulted in the Attacker own Injected sql command being displayed on the user interface of the firewall and this is what got people's attention Suddenly they're seeing sql in the IP address sql commands there So that's not good now I'm going to leave a link to this you can read up on the details But they break down every step and stage because this is actually a strung together of several Pieces so first you start with the sql injection And then there is a pivot into each piece that it goes through and try to establish persistence From there it actually has a payload The only thing that they're not clear on is whether or not this was successful at all in actually Exfiltrating data it has the potential to do it. That is clearly the goal They are not clear whether or not and I guess it's going to depend on the firewall and probably some further reading And by the way, this is probably going to be updated several times So follow the link over here on sofos and they'll keep up to date on there The short answer is if you have a sofos get it patched This is where the note is in the data expectation process note This section describes our understanding of the data exfiltration capability to the malware at the time of publication of this article But we have not discovered any evidence that data collected have been successfully Exfiltrated and basically dump all the configured to firewall And if you had remote access like a vpn, they would have your vpn config and be able to get into that network So this is just a really good remediation response all the way here at the end Top to bottom the way I think security should be done and done right so This is one of the reasons first as a general rule never ever whether you running any firewall Exposed the management interface because that's just a bad idea If there's ever a flaw found that is where the flaws frequently found this occurred not that long ago in some sysco equipment Where they found the flaw in the interface and sysco's handling of it was not anywhere close to as good as sofos Sophos has actually done this top to bottom with a full quick mitigation Now there is no cve assigned to this. Yep. This was a zero day. So they were quick to act They did not go into denial mode. They did not I've covered the sysco one before kind of come up with a really poor solution They immediately started looking for the indicators of compromise. They started blocking the domains That they were finding this coming from and I have noticed quite a bit of and i'm going to pull up a little screenshot here Of these type of attacks really ramping up now This is a screenshot just of this morning from my Sericata logs on my firewall and there is a pretty heavy number of attacks going that sericata has identified Against well, these are draytech routers. They recently discovered a ddwrt remote execution And this is a really old but they're still out there because by the way Just because a firewall is old doesn't mean someone took it offline a really old vulnerability and checkpoint firewalls Um And those are still banging away on my firewall there and sericata is catching and stopping and blocking those These are these are attacks in a wild pretty soon once this is uh signatures to melt which they did develop signatures They do have a full set of this It'll get into the logs and i'll probably see a bunch of x g sofos xg logs in my sericata for those type of attacks So one halves off to sofos for doing a top to bottom job here on both You know just dealing with people who reported the issue quickly coming out mitigation diving deeper into it And this was published uh the other day So they were doing the research over the weekend even you know non-stop This is what you want from a good security team because when there's a zero day in a product You want it fixed as fast as possible which they did there was no delay. There was no You know problems regarding that a excellent debrief of everything that it does and of course them speculating and not being the overly confident Oh, no, they didn't exfiltrate data at the time they appear to Couldn't get the mechanism to actually exploit the data and actually pull it out So they don't think it did it they think it was a failed attempt But they left it open to further testing and i'm positive They're still plugging away at it truly trying to dive into it So, uh, if you have a sofos firewall, uh, please change all your passwords if you had one of these and you had the configurations of the management portals exposed But something else to think about is if in the internal side of the network you had the portals exposed and perhaps the bad actor Was able to get this less statistically like either way probably change your passwords anyways Because there's a risk there that this could have occurred follow the links and sofos They do have all the updates and keep up with it if you have one of those firewalls But I hope more firewall companies realize this is the way to do security, right? When you have a flaw you get ahead of it by documenting it all yourself walking through it all yourself Don't let some third-party researcher just call you out and everyone else go. Hey, this is uh A bad thing and your guys are in denial about it looking at you sysco And I'll leave a link to that sysco video about red balloon security It's it's kind of face-palming. It's the way not to handle it versus the way this got handled. Thanks And thank you for making it to the end of the video If you like this video, please give it a thumbs up if you like to see more content from the channel Hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out If you'd like to hire us head over to laurancesystems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again, thanks for watching and see you next time Thanks for watching