Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 665 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KB135412 - Is HTTPS Inspected Data at Risk?

J_87586

My XG Firewall reported as compromised.

I have the hotfix, and have reset all local passwords, disabled VPN, and disabled WAN access to the user portal (admin portal was already disabled).

I have HTTPS traffic inspection enabled for a couple hosts on my network. What's the likelihood that this compromise would have allowed the attacker to exfiltrate unencrypted traffic that was leaving those machines? I'm concerned about account credentials that the hosts would have been sending as users logged into email accounts, bank accounts, etc.

Thoughts? Should I be telling users that they need to change account passwords for every single service that accessed while connected in the past 2, 4, 10 days?

Thanks,



This thread was automatically locked due to age.
  • +1

    Hi  

    We sincerely regret any inconvenience this has caused.

    At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

    The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

    We are continuing to investigate and expect to release more details of the attack.  Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

    Regards,

  • +1 in reply to FloSupport

    After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.