Over the weekend, Sophos announce it had released a hotfix for Sophos XG firewalls. This hotfix patched an SQL injection attack which allowed attackers to download payloads to the device.
It looks like the hashed usernames and passwords have been stolen from the XG devices. This means all XG owners should reset the passwords for administration and any local VPN users as well.
It appears the attack was done either on the admin portal (port 4444) or the user portal (port 443). Normally the administration portal is closed on the WAN, however, it is normal practice to have the user portal exposed on the WAN.
If your firewall has been compromised, Sophos recommends these steps
One of the issues I’ve faced on this server is xmlrpc.php attacks. These are normally bots trying to exploit old bugs in xmlrpc.php within WordPress. Many legit plugins use calls to this file such as Jetpack. So blocking it isn’t really an option.
In my case, I wanted to block these attacks with iptables. So I went about creating a rule using fail2ban.
To get started, get iptables and fail2ban installed:
apt-get install fail2ban iptables
Once installed, edit the default jail file. This won’t exist on a new install
Add the following lines (make sure the path matches your own)