Security News > 2020 > April > Attackers exploiting a zero-day in Sophos firewalls, have yours been hit?

Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps.

The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.

"Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units," the company shared.

"The attack affected systems configured with either the administration interface or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service to the WAN zone that shares the same port as the admin or User Portal were also affected."

The company says that the attack used a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for SFOS, the Sophos Firewall Operating System.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/DdLVPrbJQ8k/