1 00:00:01,100 --> 00:00:04,340 covering the week's top textbooks like 2 00:00:04,340 --> 00:00:04,350 covering the week's top textbooks like 3 00:00:04,350 --> 00:00:07,039 covering the week's top textbooks like Linux bias users of a widely used 4 00:00:07,039 --> 00:00:07,049 Linux bias users of a widely used 5 00:00:07,049 --> 00:00:09,290 Linux bias users of a widely used firewall from Sophos have been under a 6 00:00:09,290 --> 00:00:09,300 firewall from Sophos have been under a 7 00:00:09,300 --> 00:00:11,180 firewall from Sophos have been under a zero-day attack that was designed to 8 00:00:11,180 --> 00:00:11,190 zero-day attack that was designed to 9 00:00:11,190 --> 00:00:13,370 zero-day attack that was designed to steal usernames cryptographically 10 00:00:13,370 --> 00:00:13,380 steal usernames cryptographically 11 00:00:13,380 --> 00:00:15,110 steal usernames cryptographically protected passwords and other sensitive 12 00:00:15,110 --> 00:00:15,120 protected passwords and other sensitive 13 00:00:15,120 --> 00:00:18,710 protected passwords and other sensitive data the well researched and develop 14 00:00:18,710 --> 00:00:18,720 data the well researched and develop 15 00:00:18,720 --> 00:00:21,320 data the well researched and develop attack exploited an SQL injection flow 16 00:00:21,320 --> 00:00:21,330 attack exploited an SQL injection flow 17 00:00:21,330 --> 00:00:24,170 attack exploited an SQL injection flow flaw in fully patched versions of the 18 00:00:24,170 --> 00:00:24,180 flaw in fully patched versions of the 19 00:00:24,180 --> 00:00:27,109 flaw in fully patched versions of the Sophos XG firewall with that toehold in 20 00:00:27,109 --> 00:00:27,119 Sophos XG firewall with that toehold in 21 00:00:27,119 --> 00:00:29,120 Sophos XG firewall with that toehold in systems that downloaded and installed a 22 00:00:29,120 --> 00:00:29,130 systems that downloaded and installed a 23 00:00:29,130 --> 00:00:30,620 systems that downloaded and installed a series of scripts that ultimately 24 00:00:30,620 --> 00:00:30,630 series of scripts that ultimately 25 00:00:30,630 --> 00:00:32,540 series of scripts that ultimately executed code intended to make off with 26 00:00:32,540 --> 00:00:32,550 executed code intended to make off with 27 00:00:32,550 --> 00:00:35,600 executed code intended to make off with users real names usernames the 28 00:00:35,600 --> 00:00:35,610 users real names usernames the 29 00:00:35,610 --> 00:00:37,250 users real names usernames the cryptographically hashed form of the 30 00:00:37,250 --> 00:00:37,260 cryptographically hashed form of the 31 00:00:37,260 --> 00:00:41,000 cryptographically hashed form of the passwords and assaulted sha-256 hash of 32 00:00:41,000 --> 00:00:41,010 passwords and assaulted sha-256 hash of 33 00:00:41,010 --> 00:00:42,819 passwords and assaulted sha-256 hash of the administrator accounts password 34 00:00:42,819 --> 00:00:42,829 the administrator accounts password 35 00:00:42,829 --> 00:00:45,380 the administrator accounts password Sophos has delivered a hotfix that might 36 00:00:45,380 --> 00:00:45,390 Sophos has delivered a hotfix that might 37 00:00:45,390 --> 00:00:48,160 Sophos has delivered a hotfix that might against the vulnerability other data 38 00:00:48,160 --> 00:00:48,170 against the vulnerability other data 39 00:00:48,170 --> 00:00:50,720 against the vulnerability other data targeted by the attack included in IP 40 00:00:50,720 --> 00:00:50,730 targeted by the attack included in IP 41 00:00:50,730 --> 00:00:52,549 targeted by the attack included in IP address allocation permissions for 42 00:00:52,549 --> 00:00:52,559 address allocation permissions for 43 00:00:52,559 --> 00:00:55,130 address allocation permissions for firewall users system information such 44 00:00:55,130 --> 00:00:55,140 firewall users system information such 45 00:00:55,140 --> 00:00:57,680 firewall users system information such as running OS and version uptime and 46 00:00:57,680 --> 00:00:57,690 as running OS and version uptime and 47 00:00:57,690 --> 00:01:00,349 as running OS and version uptime and network configuration as well as the ARP 48 00:01:00,349 --> 00:01:00,359 network configuration as well as the ARP 49 00:01:00,359 --> 00:01:02,420 network configuration as well as the ARP tables used to map IP addresses to 50 00:01:02,420 --> 00:01:02,430 tables used to map IP addresses to 51 00:01:02,430 --> 00:01:05,870 tables used to map IP addresses to device MAC addresses sofas research 52 00:01:05,870 --> 00:01:05,880 device MAC addresses sofas research 53 00:01:05,880 --> 00:01:08,500 device MAC addresses sofas research researchers wrote in Sunday's disclosure 54 00:01:08,500 --> 00:01:08,510 researchers wrote in Sunday's disclosure 55 00:01:08,510 --> 00:01:11,510 researchers wrote in Sunday's disclosure this malware's primary task appeared to 56 00:01:11,510 --> 00:01:11,520 this malware's primary task appeared to 57 00:01:11,520 --> 00:01:13,730 this malware's primary task appeared to be data theft which it could perform by 58 00:01:13,730 --> 00:01:13,740 be data theft which it could perform by 59 00:01:13,740 --> 00:01:14,990 be data theft which it could perform by retrieving the contents of various 60 00:01:14,990 --> 00:01:15,000 retrieving the contents of various 61 00:01:15,000 --> 00:01:17,330 retrieving the contents of various database tables stored in the firewall 62 00:01:17,330 --> 00:01:17,340 database tables stored in the firewall 63 00:01:17,340 --> 00:01:21,499 database tables stored in the firewall as well as by running some operating 64 00:01:21,499 --> 00:01:21,509 as well as by running some operating 65 00:01:21,509 --> 00:01:25,999 as well as by running some operating system command the exploits also 66 00:01:25,999 --> 00:01:26,009 system command the exploits also 67 00:01:26,009 --> 00:01:27,830 system command the exploits also downloaded the malware from domains that 68 00:01:27,830 --> 00:01:27,840 downloaded the malware from domains that 69 00:01:27,840 --> 00:01:30,560 downloaded the malware from domains that appeared in the loop to be legitimate to 70 00:01:30,560 --> 00:01:30,570 appeared in the loop to be legitimate to 71 00:01:30,570 --> 00:01:32,030 appeared in the loop to be legitimate to evade detection some of the malware 72 00:01:32,030 --> 00:01:32,040 evade detection some of the malware 73 00:01:32,040 --> 00:01:34,399 evade detection some of the malware deleted underlying files that executed 74 00:01:34,399 --> 00:01:34,409 deleted underlying files that executed 75 00:01:34,409 --> 00:01:36,710 deleted underlying files that executed it and ran solely in memory the 76 00:01:36,710 --> 00:01:36,720 it and ran solely in memory the 77 00:01:36,720 --> 00:01:38,510 it and ran solely in memory the malicious code uses a creative and 78 00:01:38,510 --> 00:01:38,520 malicious code uses a creative and 79 00:01:38,520 --> 00:01:39,980 malicious code uses a creative and roundabout method to ensure it's 80 00:01:39,980 --> 00:01:39,990 roundabout method to ensure it's 81 00:01:39,990 --> 00:01:42,380 roundabout method to ensure it's executed it's executed each time 82 00:01:42,380 --> 00:01:42,390 executed it's executed each time 83 00:01:42,390 --> 00:01:44,749 executed it's executed each time firewalls are started those 84 00:01:44,749 --> 00:01:44,759 firewalls are started those 85 00:01:44,759 --> 00:01:46,550 firewalls are started those characteristics strongly suggests that 86 00:01:46,550 --> 00:01:46,560 characteristics strongly suggests that 87 00:01:46,560 --> 00:01:48,710 characteristics strongly suggests that the threat actors spent weeks or months 88 00:01:48,710 --> 00:01:48,720 the threat actors spent weeks or months 89 00:01:48,720 --> 00:01:50,440 the threat actors spent weeks or months laying the groundwork for the attacks 90 00:01:50,440 --> 00:01:50,450 laying the groundwork for the attacks 91 00:01:50,450 --> 00:01:52,910 laying the groundwork for the attacks the data the malware was designed to 92 00:01:52,910 --> 00:01:52,920 the data the malware was designed to 93 00:01:52,920 --> 00:01:55,219 the data the malware was designed to exfiltrate suggests the attack was 94 00:01:55,219 --> 00:01:55,229 exfiltrate suggests the attack was 95 00:01:55,229 --> 00:01:56,929 exfiltrate suggests the attack was designed to give attackers the means to 96 00:01:56,929 --> 00:01:56,939 designed to give attackers the means to 97 00:01:56,939 --> 00:01:59,060 designed to give attackers the means to further penetrate the organizations that 98 00:01:59,060 --> 00:01:59,070 further penetrate the organizations that 99 00:01:59,070 --> 00:02:00,709 further penetrate the organizations that use the firewall through phishing 100 00:02:00,709 --> 00:02:00,719 use the firewall through phishing 101 00:02:00,719 --> 00:02:03,560 use the firewall through phishing attacks and unauthorized access to user 102 00:02:03,560 --> 00:02:03,570 attacks and unauthorized access to user 103 00:02:03,570 --> 00:02:07,100 attacks and unauthorized access to user accounts the zero day vulnerability that 104 00:02:07,100 --> 00:02:07,110 accounts the zero day vulnerability that 105 00:02:07,110 --> 00:02:08,749 accounts the zero day vulnerability that made the attacks possible was a pre 106 00:02:08,749 --> 00:02:08,759 made the attacks possible was a pre 107 00:02:08,759 --> 00:02:11,540 made the attacks possible was a pre authentication SQL injection flaw found 108 00:02:11,540 --> 00:02:11,550 authentication SQL injection flaw found 109 00:02:11,550 --> 00:02:13,309 authentication SQL injection flaw found in the custom operating system that runs 110 00:02:13,309 --> 00:02:13,319 in the custom operating system that runs 111 00:02:13,319 --> 00:02:13,670 in the custom operating system that runs the 112 00:02:13,670 --> 00:02:13,680 the 113 00:02:13,680 --> 00:02:16,490 the firewall so folks provided no additional 114 00:02:16,490 --> 00:02:16,500 firewall so folks provided no additional 115 00:02:16,500 --> 00:02:19,550 firewall so folks provided no additional details about the vulnerability users of 116 00:02:19,550 --> 00:02:19,560 details about the vulnerability users of 117 00:02:19,560 --> 00:02:21,349 details about the vulnerability users of vulnerable firewalls should ensure the 118 00:02:21,349 --> 00:02:21,359 vulnerable firewalls should ensure the 119 00:02:21,359 --> 00:02:23,569 vulnerable firewalls should ensure the hotfix is installed as soon as possible 120 00:02:23,569 --> 00:02:23,579 hotfix is installed as soon as possible 121 00:02:23,579 --> 00:02:25,789 hotfix is installed as soon as possible and then examine their systems for signs 122 00:02:25,789 --> 00:02:25,799 and then examine their systems for signs 123 00:02:25,799 --> 00:02:27,709 and then examine their systems for signs of compromised published on the Sophos 124 00:02:27,709 --> 00:02:27,719 of compromised published on the Sophos 125 00:02:27,719 --> 00:02:30,229 of compromised published on the Sophos news site as the fix is part of the 126 00:02:30,229 --> 00:02:30,239 news site as the fix is part of the 127 00:02:30,239 --> 00:02:33,110 news site as the fix is part of the automatic ich update ecosystem ensure 128 00:02:33,110 --> 00:02:33,120 automatic ich update ecosystem ensure 129 00:02:33,120 --> 00:02:34,970 automatic ich update ecosystem ensure your firewall has these enabled to 130 00:02:34,970 --> 00:02:34,980 your firewall has these enabled to 131 00:02:34,980 --> 00:02:37,670 your firewall has these enabled to receive the fix