Attackers Target Sophos Firewalls with Zero-Day

Remote exploit compromises specific configurations of XG firewalls with the intent of stealing data from the devices.

Security firm Sophos acknowledged a coordinated attack by an unknown adversary that compromised the companys XG firewall products using a previously unknown SQL injection vulnerability, according to an advisory published on April 27.
The attack, which took place five days earlier, targeted multiple customers whose firewalls had been configured with the administrative or user portal exposed to the Internet, and which had a firewall service, such as an SSL VPN, exposed to the Internet on the same port. While these settings are not the default configuration, companies struggling with remote workers may have been more likely to configure their firewall to allow remote administration and could have placed services on the same interface as the administrative portal.
The attack began midday on April 22, and by early morning of the following day, Sophos had determined that multiple customers firewalls had been compromised by the exploit, resulting in its response escalating to a major incident process, the company stated in its advisory.
Sophos immediately began an investigation that included retrieving and analyzing the artifacts associated with the attack, a Sophos spokesperson said in an e-mail interview with Dark Reading. After determining the components and impact of the attack, Sophos deployed a hotfix to all supported versions.
Because of the hotfix, companies can look for alerts on their firewalls Control Center dashboard to determine if their appliance had been targeted, Sophos
said in its advisory
.
In a separate analysis, Sophos revealed the results of its investigation. Once a firewall had been compromised, the attackers ran a series of shell scripts to install executable files designed to run on the firewalls operating system, starting with a shell script
install.sh
. The script attempted to install two other programs, one of which was designed to make the attack persistence. The script also attempted to conceal its activities, but — because of poor design — actually made it more noticeable, Sophos said.
This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall, the company said.
The malware appeared to be focused on data exfiltration. While the attack had capabilities to exfiltrate data from infected firewall appliances, Sophos had not discovered any evidence that the data collected had been successfully exfiltrated, the company
said in its analysis
. The scripts focused on copying the contents of specific database tables from the firewall and then appended the collected information to a file on the firewall.
The attack appeared quite sophisticated, but a Sophos spokesperson said it is too early to tell who is behind the attack, while the company continues to investigate.
Sophos is not the first security company to suffer a targeted attack against its products. In May 2019, a group of hackers claimed to
have stolen source code
from Trend Micro, McAfee and Symantec. Only Trend Micro confirmed the breach, while Symantec denied that the company had suffered a compromise.
In 2017, attackers compromised the development systems of Piriform — recently purchased by security firm Avast — and installed a malicious backdoor into the code of its system utility, CCleaner. The group behind the attack
appeared to be a Chinese government-linked APT group
, according to analysis.
In the latest attack on a security firm, Sophos stated that it is not aware of any subsequent attempts to use the beachhead in customers firewalls to extend access to customers systems. The malware installed by the attackers is designed to collect public IP addresses and the firewalls license key, as well as get SQL user account information, a hash of the administrators password, and information on policies. The software will compress the data and send it back to the attacker over an encrypted connection.
The company urged its customers to harden their firewall configurations and not expose the administrative interface or user portal to the Internet.
Although we have remediated this vulnerability, it is always a good idea to reduce attack surface wherever possible by disabling HTTPS Admin Services and User Portal access on the WAN interface, the company states in its advisory.
Related Content
Why Third-Party Risk Management Has Never Been More Important
Chinese APT Groups Targeted Enterprise Linux Systems in Decade-Long Data Theft Campaign
Why Businesses Fail to Address DNS Security Exposures
Chinese APT Backdoor Found in CCleaner Supply Chain Attack
Server Management Software Discovered Harboring Backdoor
How Data Breaches Affect the Enterprise
Check out The Edge, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:

5 Ways to Prove Securitys Worth in the Age of COVID-19
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Target Sophos Firewalls with Zero-Day