SQL Injection - Admin Portal IP Restricted - How?

Hi,

what port are you using for your access?

an

Not the standard 443.

Thanks Ian.

I'm not using that port.

Hi IT-Support-247 

The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.

Sophos recommends using Sophos Connect and also using OTP/2FA.

We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

Regards,

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

Hi Flo

Thanks for the detailed article - very informative and nicely put together.

However, it still doesn't address exactly how they targeted the devices with SQL Injection if the device is not accessible from anywhere except for a trusted IP source..?

If you cannot get to the login form, how can you inject the malicious SQL Commands?

Hello,

I also don't have port 8443 or 443 open for WAN settings. I have admin services on for WAN on HTTPS but i am using a different port.

So, I dont understand how the firewall was compromised. Is it a False Positive?

Port scanning your WAN connection will reveal ports that have services running on them. They can then just launch the attack against whatever ports you have open.

Changing the default ports won't stop an attack like this if they scan for open ports.

Hello,

Was the User Portal accessible from WAN without filtering the source IPs ?

Because the issue is both on the Admin Portal and the User Portal.

Hi Viken

User Portal completely disabled on all interfaces, including WAN. We've never used it.

Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

IT-Support-247 said:

Hi Viken

User Portal completely disabled on all interfaces, including WAN. We've never used it.

Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

 

Hello,

How did you configure your Geo-IP filtering on the WAN Admin Portal? Did you allow directly countries in the ACL Exceptions?

IT-Support-247 said:

Hi Viken

User Portal completely disabled on all interfaces, including WAN. We've never used it.

Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

 

Hello,

How did you configure your Geo-IP filtering on the WAN Admin Portal? Did you allow directly countries in the ACL Exceptions?

My bad, I don't have any Geo-IP filtering enabled on Admin Portal, only on the Firewall rules.

The admin portal rule only allows trusted IPs. Everything that doesn't match, gets dropped.

Oh ok.

But are you really sure that your User Portal is closed from WAN, and that your Admin Portal is only accessible by trusted IPs ?

Could you please send a screenshot of your "Device Access" Tab ?

Yes I am sure. I’ve been working with these devices for over 2 years now.

I’ll find a screenshot soon when I’m back at my computer.