Over the weekend, Sophos announce it had released a hotfix for Sophos XG firewalls. This hotfix patched an SQL injection attack which allowed attackers to download payloads to the device.
It looks like the hashed usernames and passwords have been stolen from the XG devices. This means all XG owners should reset the passwords for administration and any local VPN users as well.
It appears the attack was done either on the admin portal (port 4444) or the user portal (port 443). Normally the administration portal is closed on the WAN, however, it is normal practice to have the user portal exposed on the WAN.
If your firewall has been compromised, Sophos recommends these steps
- Reset device administrator accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts
- Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
We are awaiting further information from Sophos.