CyberSecurity news

FlagThis - #firewall

@www.justice.gov - 72d

US Sanctions Chinese Firm for Firewall Hacks - The US sanctioned Sichuan Silence for exploiting a zero-day vulnerability in Sophos firewalls, compromising tens of thousands of firewalls globally.
References: www.pcmag.com , , www.justice.gov ...
The US Treasury Department has sanctioned Sichuan Silence, a Chinese cybersecurity company, and its employee Guan Tianfeng for their involvement in a global firewall compromise in April 2020. This hack exploited a zero-day vulnerability, impacting tens of thousands of firewalls, including those of critical infrastructure companies. Guan Tianfeng has also been indicted by the Department of Justice for developing and deploying malware, leading to a $10 million reward for information on the company or Guan. This coordinated action highlights the ongoing threat posed by Chinese cyber actors.

Recommended read:
References :
  • www.pcmag.com: US sanctions Chinese cybersecurity firm for hacking 81k firewall devices
  • : Related to DOJ toot above. The Department of the Treasury's Office of Foreign Assets Control (OFAC) is sanctioning cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan Silence), and one of its employees, Guan Tianfeng, both based in People's Republic of China (PRC), for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide.
  • www.bleepingcomputer.com: US sanctions Chinese firm for hacking firewalls in ransomware attacks
  • www.justice.gov: Chinese national Guan Tianfeng was charged in connection with the mass exploitation of Sophos firewalls in 2020.
  • : People's Republic of China (PRC)-based Sichuan Silence Information Technology Co. Ltd. (Sichuan Silence) has provided services to China's Ministry of Public Security, among other Chinese government agencies. In 2020, Chinese national Guan Tianfeng and other employees of Sichuan Silence developed and tested intrusion techniques prior to deploying malicious software that allowed them to exploit a zero-day vulnerability in certain Sophos firewalls (CVSSv3.0: 10.0 critical). Sichuan Silence used the exploit to infiltrate approximately 81,000 firewall devices, infecting them with malware designed to not only retrieve and exfiltrate data from firewalls and computers behind them, but also encrypt files on infected computers if a victim attempted to remediate the infection.
  • Cyber Security News: US Sanctions Chinese Firm for Firewall Hacks Linked to Ransomware
  • gbhackers.com: US Charged Chinese Hackers for Exploiting Thousands of Firewall
  • CyberInsider: U.S. Indicts Chinese Hacker for Firewall Exploit Targeting 81,000 Devices
  • Dataconomy: Dataconomy's report on the Sophos firewall breach.
  • therecord.media: US sanctions Chinese cyber firm for compromising ‘thousands’ of firewalls in 2020
  • flashpoint.io: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide
  • malware.news: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide
  • The Hacker News: The U.S. government on Tuesday unsealed charges against a Chinese national for allegedly breaking into thousands of Sophos firewall devices globally in 2020.
  • CyberScoop: Treasury sanctions Chinese cyber company, employee for 2020 global firewall attack
  • DataBreaches.Net: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide
@gbhackers.com - 16d

SonicWall Firewall Bug Allows VPN Hijacking - A high-severity authentication bypass vulnerability, CVE-2024-53704, affects SonicWall firewalls, allowing attackers to hijack active SSL VPN sessions and gain unauthorized network access.
SonicWall firewalls are facing a critical threat due to a high-severity authentication bypass vulnerability, identified as CVE-2024-53704. This flaw allows attackers to hijack active SSL VPN sessions, potentially granting them unauthorized access to networks. Bishop Fox researchers discovered nearly 4,500 internet-exposed SonicWall firewalls at risk, highlighting the widespread nature of the vulnerability. The affected SonicOS versions include 7.1.x, 7.1.2-7019, and 8.0.0-8035, which are used in various Gen firewalls.

A proof-of-concept exploit has been released for CVE-2024-53704, increasing the urgency for organizations to apply the necessary patches. The exploit involves sending a specially crafted session cookie to the SSL VPN endpoint, bypassing authentication mechanisms, including multi-factor authentication. By exploiting this vulnerability, attackers can access sensitive internal resources, Virtual Office bookmarks, and VPN client configurations, establishing new VPN tunnels into private networks. SonicWall has urged organizations to immediately apply patches to mitigate the vulnerability.

Recommended read:
References :
  • gbhackers.com: SonicWall firewalls running specific versions of SonicOS are vulnerable to a critical authentication bypass flaw, tracked as CVE-2024-53704, which allows attackers to hijack active SSL VPN sessions. This vulnerability has been classified as high-risk, with a CVSS score of 8.2.
  • MSSP feed for Latest: Nearly 4,500 internet-exposed SonicWall firewalls were discovered by Bishop Fox researchers to be at risk of having their VPN sessions taken over in attacks exploiting a recently patched high-severity authentication bypass flaw within the SonicOS SSLVPN application, tracked as CVE-2024-53704, according to BleepingComputer.
  • cyberpress.org: A critical security flaw, CVE-2024-53704, has been identified in SonicWall’s SonicOS SSLVPN application, enabling remote attackers to bypass authentication and hijack active SSL VPN sessions.
  • securityaffairs.com: Detailed findings and mitigation strategies related to the SonicWall firewall bug.
  • Cyber Security News: SonicWall Firewalls Exploit Let Attackers Remotely Hack Networks Via SSL VPN Sessions Hijack
  • gbhackers.com: SonicWall Firewalls Exploit Hijack SSL VPN Sessions to Gain Networks Access
  • www.bleepingcomputer.com: SonicWall firewall exploit lets hackers hijack VPN sessions, patch now
  • arcticwolf.com: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • arcticwolf.com: On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability
  • Arctic Wolf: Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
  • The Register - Security: SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN
  • bishopfox.com: https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
  • Christoffer S.: Arctic Wolf: Published a blog about observing active exploitation of SonicWALL vulnerability, which Bishop Fox published a PoC for on Feb 10. Unfortunately NO indicators or otherwise actionable intelligence provided beyond active exploitation.
  • BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.
  • www.bleepingcomputer.com: BleepingComputer reports on attackers exploiting a SonicWall firewall vulnerability after the release of PoC exploit code.
  • Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • www.heise.de: Heise Online article urging users to patch their SonicWall devices.
  • www.bleepingcomputer.com: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • securityonline.info: SonicWall Firewalls Under Attack: CVE-2024-53704 Exploited in the Wild, PoC Released
do son@Cybersecurity News - 71d

Sophos Firewall Fixes Critical Remote Execution Flaws - Sophos Firewall has critical vulnerabilities, including a pre-authentication SQL injection, potentially leading to Remote Code Execution and privilege escalation, requiring immediate patching.
Sophos has released hotfixes to address three critical security vulnerabilities affecting Sophos Firewall products. The vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, could allow attackers to achieve remote code execution and gain privileged system access under specific conditions. Two of the vulnerabilities are rated as critical. CVE-2024-12727 is a pre-authentication SQL injection flaw in the email protection feature that may result in remote code execution. CVE-2024-12728 arises from a weak SSH login passphrase used during High Availability cluster initialization which remains active, potentially exposing a privileged system account. The third, CVE-2024-12729, is a post-authentication code injection vulnerability in the User Portal.

These vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and older. Sophos estimates that CVE-2024-12727 impacts approximately 0.05% of devices, while CVE-2024-12728 affects about 0.5%. Hotfixes have been issued for various versions, including v21 MR1 and newer, and are recommended for all affected users. Users can verify hotfix application by launching the Advanced Shell or Device Console and running specific commands. Sophos recommends restricting SSH access, reconfiguring HA with a strong passphrase, and disabling WAN access via SSH as temporary workarounds while patching.

Recommended read:
References :
  • securityonline.info: SecurityOnline.info report on Sophos urgent firewall security update
  • socradar.io: Sophos Firewall Update Resolves RCE and Privilege Escalation Vulnerabilities (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
  • The Hacker News: TheHackerNews report on Sophos fixing 3 critical firewall flaws
  • securityaffairs.com: Sophos fixed critical vulnerabilities in its Firewall product
  • www.heise.de: Critical vulnerabilities threaten Sophos firewalls Important security updates for Sophos firewalls have been released. They install automatically with the default settings.
  • Latest from TechRadar: Sophos flags concerning firewall security flaws, users told to patch now
@gbhackers.com - 19d

Massive Brute Force Attack Targets VPNs and Firewalls - A large-scale brute force password attack is targeting web login pages of edge devices, including firewalls and VPNs from Palo Alto Networks, Ivanti, and SonicWall, originating from approximately 2.8 million IP addresses, primarily from Brazil.
A massive brute force password attack is currently targeting a wide range of networking devices, including VPNs and firewalls from Palo Alto Networks, Ivanti, and SonicWall. The attack, which began recently, utilizes almost 2.8 million IP addresses in an attempt to guess the credentials for these devices. Once access is gained, threat actors can hijack devices or gain access to entire networks.

A brute force attack involves repeatedly attempting to log into an account or device using numerous username and password combinations until the correct one is discovered. This type of attack highlights the importance of strong, unique passwords and multi-factor authentication to protect sensitive systems and data from unauthorized access. The attack was first reported by BleepingComputer on February 8, 2025.

Recommended read:
References :
  • BleepingComputer: A large-scale brute force password attack using almost 2.8 million IP addresses is underway, attempting to guess the credentials for a wide range of networking devices, including those from  Palo Alto Networks, Ivanti, and SonicWall.
  • www.bleepingcomputer.com: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Anonymous ???????? :af:: A large-scale brute force password attack using almost 2.8 million IP addresses is underway
  • BleepingComputer: Massive brute force attack uses 2.8 million IPs to target VPN devices
  • Troy Hunt: Infosec.exchange post about the large-scale brute-force attack targeting networking devices.
  • bsky.app: BleepingComputer post on the brute-force attack targeting Palo Alto, Ivanti and Sonicwall devices.
  • bsky.app: BleepingComputer mentions the attack in a news summary.
  • www.scworld.com: Millions of IP addresses leveraged in ongoing brute force intrusion
  • gbhackers.com: Massive brute force attacks targeting VPNs and firewalls have surged in recent weeks, with cybercriminals using as many as 2.8 million unique IP addresses daily to conduct relentless login attempts.
  • securityboulevard.com: Security Boulevard report on Major brute force attack
info@thehackernews.com (The Hacker News)@The Hacker News - 35d

Palo Alto Firewalls Vulnerable to Secure Boot Bypass - Critical vulnerabilities in Palo Alto Networks firewalls allow attackers to bypass Secure Boot and exploit firmware-level flaws, potentially leading to complete device compromise.
Critical vulnerabilities have been discovered in Palo Alto Networks firewall devices, potentially allowing attackers to bypass Secure Boot protections and exploit firmware-level flaws. Security firm Eclypsium evaluated three Palo Alto Network appliances, including the PA-3260, PA-1410, and PA-415, uncovering a range of well-known vulnerabilities collectively named "PANdora's Box". These flaws include "Boothole," a buffer overflow vulnerability leading to remote code execution, secure boot bypass issues, and vulnerabilities like LogoFail and PixieFail. These issues could allow attackers to gain elevated privileges, maintain persistence, and completely compromise firewall devices.

The identified vulnerabilities include seven CVEs, and additionally insecure flash access controls and leaked keys which compromise the integrity of the boot process. These flaws, ranging from boot process exploits to vulnerabilities within InsydeH2O UEFI firmware, could lead to privilege escalation, malicious code execution during startup, and information disclosure. Palo Alto Networks is aware of these claims and is working with third party vendors to develop firmware updates, although they state that the vulnerabilities are not exploitable under normal conditions with up-to-date and secured management interfaces, and do not affect PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.

Recommended read:
References :
  • eclypsium.com: Eclysium evaluated three Palo Alto Networks appliances, finding known vulnerabilities ranging from "Boothole" (buffer overflow to RCE) and secure boot bypass to LogoFail, PixieFail, leaked keys bypass, etc.
  • security.paloaltonetworks.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls
  • The Hacker News: Palo Alto firewalls found vulnerable to secure boot bypass and firmware exploits
  • : Palo Alto Networks See parent toot above. Palo Alto Networks is in damage control mode, after Eclypsium reported that their Next Generation Firewall (NGFW) products were still impacted by multiple known vulnerabilities. Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.
  • : Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com
  • Patrick C Miller :donor:: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls - SecurityWeek
  • ciso2ciso.com: Palo Alto Networks Addresses Impact of BIOS, Bootloader Vulnerabilities on Its Firewalls – Source: www.securityweek.com
@gbhackers.com - 16d

SonicWall Firewall Authentication Bypass Exploited - SonicWall firewall vulnerability (CVE-2024-53704) is actively exploited, allowing attackers to bypass authentication; users are urged to apply security updates immediately.
A critical authentication bypass vulnerability, identified as CVE-2024-53704, in SonicWall firewalls is under active exploitation. Security firms are warning that attackers are now targeting this flaw following the public release of proof-of-concept exploit code. The vulnerability allows attackers to bypass authentication, posing a significant risk to affected systems.

Security updates are available for download to address the issue, and users are strongly urged to patch their SonicWall firewalls immediately. Attacks are currently taking place, making prompt action essential to mitigate potential exploits. The vulnerability highlights the importance of keeping security infrastructure up-to-date to defend against emerging threats.

Recommended read:
References :
  • BleepingComputer: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • Anonymous ???????? :af:: Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.
  • heise online English: Patch Sonicwall now! Attackers bypass authentication of firewalls Attacks are currently taking place on Sonicwall firewalls. Security updates are available for download.

Blogs

Research Tools