By 
On Saturday, cybersecurity firm Sophos released an emergency security to fix a zero-day flaw in its XG enterprise firewall product that cybercriminals had been exploiting for quite a while.
The company said it first came to know of the vulnerability on late Wednesday, April 22, after one of its customers apprised about it. The customer said they saw “a suspicious field value visible in the management interface.”
After examining the report, Sophos found this was an active attack and not a mistake in its product.
Sophos said in a security advisory today: “The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.”
The company said the criminals used the SQL injection flaw to download a payload on the device, which subsequently stole files from the XG Firewall.
Pilfered data could contain usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.
Sophos said that passwords for customers’ other outward verification systems, such as AD or LDAP, were impacted.
The company said that during its enquiry, it found no proof that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.
Sophos said: “This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.”
The company also recommends that companies deactivate the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature.
