Hackers are exploiting a Sophos firewall zero-day

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing “a suspicious field value visible in the management interface.”

After investigating the report, Sophos determined this was an active attack and not an error in its product.

HACKERS ABUSED AN SQL INJECTION BUG TO STEAL PASSWORDS

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said today.

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.

Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.

Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.

Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.

The company said that during its investigation, it did not find any evidence that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.

PATCH ALREADY PUSHED TO CUSTOMER DEVICES

The UK company, famed for its antivirus product, said it prepared and already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

The security update will also add a special box in the XG Firewall control panel to let device owners know if their device has been compromised.

sophos-xg-alert.png

Increase in viruses targeted towards remote workers

Cybercriminals are unleashing a surprisingly high volume of new threats in this short period of time to take advantage of inadvertent security gaps as organisations are in a rush to ensure business continuity.

Cyber Security firm Fortinet on Monday announced that over the past several weeks, it has been monitoring a significant spike in COVID-19 related threats.

An unprecedented number of unprotected users and devices are now online with one or two people in every home connecting remotely to work through the internet. Simultaneously there are children at home engaged in remote learning and the entire family is engaged in multi-player games, chatting with friends as well as streaming music and video. The cybersec firm’s FortiGuard Labs is observing this perfect storm of opportunity being exploited by cybercriminals as the Threat Report on the Pandemic highlights:

  • A surge in Phishing Attacks: The research shows an average of about 600 new phishing campaigns every day. The content is designed to either prey on the fears and concerns of individuals or pretend to provide essential information on the current pandemic. The phishing attacks range from scams related to helping individuals deposit their stimulus for Covid-19 tests, to providing access to Chloroquine and other medicines or medical device, to providing helpdesk support for new teleworkers.
  • Phishing Scams Are Just the Start: While the attacks start with a phishing attack, their end goal is to steal personal information or even target businesses through teleworkers. Majority of the phishing attacks contain malicious payloads – including ransomware, viruses, remote access trojans (RATs) designed to provide criminals with remote access to endpoint systems, and even RDP (remote desktop protocol) exploits.
  • A Sudden Spike in Viruses: The first quarter of 2020 has documented a 17% increase in viruses for January, a 52% increase for February and an alarming 131% increase for March compared to the same period in 2019. The significant rise in viruses is mainly attributed to malicious phishing attachments. Multiple sites that are illegally streaming movies that were still in theatres secretly infect malware to anyone who logs on. Free game, free movie, and the attacker is on your network.
  • Risks for IoT Devices magnify: As users are all connected to the home network, attackers have multiple avenues of attack that can be exploited targeting devices including computers, tablets, gaming and entertainment systems and even online IoT devices such as digital cameras, smart appliances – with the ultimate goal of finding a way back into a corporate network and its valuable digital resources.
  • Ransomware like attack to disrupt business: If the device of a remote worker can be compromised, it can become a conduit back into the organization’s core network, enabling the spread of malware to other remote workers. The resulting business disruption can be just as effective as ransomware targeting internal network systems for taking a business offline. Since helpdesks are now remote, devices infected with ransomware or a virus can incapacitate workers for days while devices are mailed in for reimaging.

“Though organizations have completed the initial phase of transitioning their entire workforce to remote telework and employees are becoming increasingly comfortable with their new reality, CISOs continue to face new challenges presented by maintaining a secure teleworker business model. From redefining their security baseline, or supporting technology enablement for remote workers, to developing detailed policies for employees to have access to data, organizations must be nimble and adapt quickly to overcome these new problems that are arising”,said Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet – Office of CISO.

BEC Attacks

Business Email Compromise (BEC) attacks have become a highly remunerative line of business for threat actors. A new research from the APWG (Anti-Phishing Working Group) revealed how enterprises lose their wealth to BEC attacks. In its “Phishing Activity Trends Report,” APWG highlighted that the average wire transfer loss from BEC attacks surged from $54,000 in Q1 2020 to $80,183 in Q2 2020, as cybercriminals expected high returns.

In a BEC attack, cybercriminals first steal legitimate business email account credentials, which are later used to launch financial fraud campaigns like fraudulent email messages, requests for out-of-channel funds transfers, and deleted accounting trails.

BEC- A Lucrative Attack Vector

BEC attackers demand 66% of funds in the form of gift cards, stating that the average amount of gift cards requested during Q2 of 2020 was $1,213, down from $1,453 in Q1 of 2020. In addition, the number of phishing sites detected in Q2 of 2020 was 146,994, down from the 165,772 observed in Q1 of 2020.  Phishing attacks targeting the social media industry increased in Q2 by about 20%, with the most targeted attacks against Facebook and WhatsApp.

Threat from Russian Hackers

The research also found the movement of a BEC attackers’ gang in Russia known as “Cosmic Lynx,” in addition to the West African scammers targeting organizations with BEC attacks. It is found that the average ransom demanded by the Cosmic Lynx group is about $1.27 million. “We were expecting that Russian cybercriminals would move into the world of BEC because the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks,” the report said.

A Rising Concern

Recently, the FBI warned that organizations that use cloud-based email systems are at high risk to BEC attacks. The bureau advised employees about the email scams that begin with phishing kits designed to mimic two popular cloud-based email services to lure employees into compromising business email accounts and misdirecting funds transfers. The FBI stated that its Internet Crime Complaint Center (IC3) received complaints, between January 2014 and October 2019, claiming more than US$2.1 billion losses from BEC scams.

Courtesy: cisomag.eccouncil.org

BEC Attacks

Business Email Compromise (BEC) attacks have become a highly remunerative line of business for threat actors. A new research from the APWG (Anti-Phishing Working Group) revealed how enterprises lose their wealth to BEC attacks. In its “Phishing Activity Trends Report,” APWG highlighted that the average wire transfer loss from BEC attacks surged from $54,000 in Q1 2020 to $80,183 in Q2 2020, as cybercriminals expected high returns.

In a BEC attack, cybercriminals first steal legitimate business email account credentials, which are later used to launch financial fraud campaigns like fraudulent email messages, requests for out-of-channel funds transfers, and deleted accounting trails.

BEC- A Lucrative Attack Vector

BEC attackers demand 66% of funds in the form of gift cards, stating that the average amount of gift cards requested during Q2 of 2020 was $1,213, down from $1,453 in Q1 of 2020. In addition, the number of phishing sites detected in Q2 of 2020 was 146,994, down from the 165,772 observed in Q1 of 2020.  Phishing attacks targeting the social media industry increased in Q2 by about 20%, with the most targeted attacks against Facebook and WhatsApp.

Threat from Russian Hackers

The research also found the movement of a BEC attackers’ gang in Russia known as “Cosmic Lynx,” in addition to the West African scammers targeting organizations with BEC attacks. It is found that the average ransom demanded by the Cosmic Lynx group is about $1.27 million. “We were expecting that Russian cybercriminals would move into the world of BEC because the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks,” the report said.

A Rising Concern

Recently, the FBI warned that organizations that use cloud-based email systems are at high risk to BEC attacks. The bureau advised employees about the email scams that begin with phishing kits designed to mimic two popular cloud-based email services to lure employees into compromising business email accounts and misdirecting funds transfers. The FBI stated that its Internet Crime Complaint Center (IC3) received complaints, between January 2014 and October 2019, claiming more than US$2.1 billion losses from BEC scams.

Courtesy: cisomag.eccouncil.org