covering the week's top textbooks like
Linux bias users of a widely used
firewall from Sophos have been under a
zero-day attack that was designed to
steal usernames cryptographically
protected passwords and other sensitive
data the well researched and develop
attack exploited an SQL injection flow
flaw in fully patched versions of the
Sophos XG firewall with that toehold in
systems that downloaded and installed a
series of scripts that ultimately
executed code intended to make off with
users real names usernames the
cryptographically hashed form of the
passwords and assaulted sha-256 hash of
the administrator accounts password
Sophos has delivered a hotfix that might
against the vulnerability other data
targeted by the attack included in IP
address allocation permissions for
firewall users system information such
as running OS and version uptime and
network configuration as well as the ARP
tables used to map IP addresses to
device MAC addresses sofas research
researchers wrote in Sunday's disclosure
this malware's primary task appeared to
be data theft which it could perform by
retrieving the contents of various
database tables stored in the firewall
as well as by running some operating
system command the exploits also
downloaded the malware from domains that
appeared in the loop to be legitimate to
evade detection some of the malware
deleted underlying files that executed
it and ran solely in memory the
malicious code uses a creative and
roundabout method to ensure it's
executed it's executed each time
firewalls are started those
characteristics strongly suggests that
the threat actors spent weeks or months
laying the groundwork for the attacks
the data the malware was designed to
exfiltrate suggests the attack was
designed to give attackers the means to
further penetrate the organizations that
use the firewall through phishing
attacks and unauthorized access to user
accounts the zero day vulnerability that
made the attacks possible was a pre
authentication SQL injection flaw found
in the custom operating system that runs
the
firewall so folks provided no additional
details about the vulnerability users of
vulnerable firewalls should ensure the
hotfix is installed as soon as possible
and then examine their systems for signs
of compromised published on the Sophos
news site as the fix is part of the
automatic ich update ecosystem ensure
your firewall has these enabled to
receive the fix