FlagThis - #sophos

References :

• www.pcmag.com: US sanctions Chinese cybersecurity firm for hacking 81k firewall devices
• : Related to DOJ toot above. The Department of the Treasury's Office of Foreign Assets Control (OFAC) is sanctioning cybersecurity company Sichuan Silence Information Technology Company, Limited (Sichuan Silence), and one of its employees, Guan Tianfeng, both based in People's Republic of China (PRC), for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide.
• www.bleepingcomputer.com: US sanctions Chinese firm for hacking firewalls in ransomware attacks
• www.justice.gov: Chinese national Guan Tianfeng was charged in connection with the mass exploitation of Sophos firewalls in 2020.
• : People's Republic of China (PRC)-based Sichuan Silence Information Technology Co. Ltd. (Sichuan Silence) has provided services to China's Ministry of Public Security, among other Chinese government agencies. In 2020, Chinese national Guan Tianfeng and other employees of Sichuan Silence developed and tested intrusion techniques prior to deploying malicious software that allowed them to exploit a zero-day vulnerability in certain Sophos firewalls (CVSSv3.0: 10.0 critical). Sichuan Silence used the exploit to infiltrate approximately 81,000 firewall devices, infecting them with malware designed to not only retrieve and exfiltrate data from firewalls and computers behind them, but also encrypt files on infected computers if a victim attempted to remediate the infection.
• Cyber Security News: US Sanctions Chinese Firm for Firewall Hacks Linked to Ransomware
• gbhackers.com: US Charged Chinese Hackers for Exploiting Thousands of Firewall
• CyberInsider: U.S. Indicts Chinese Hacker for Firewall Exploit Targeting 81,000 Devices
• Dataconomy: Dataconomy's report on the Sophos firewall breach.
• therecord.media: US sanctions Chinese cyber firm for compromising ‘thousands’ of firewalls in 2020
• flashpoint.io: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide
• malware.news: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide
• The Hacker News: The U.S. government on Tuesday unsealed charges against a Chinese national for allegedly breaking into thousands of Sophos firewall devices globally in 2020.
• CyberScoop: Treasury sanctions Chinese cyber company, employee for 2020 global firewall attack
• DataBreaches.Net: China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide

Classification:

• HashTags: #CyberSanctions #ChineseHackers #FirewallBreach
• Company: Sichuan Silence
• Target: Global Firewall Users
• Attacker: China
• Product: Firewall
• Feature: Firewall Exploitation
• Type: Legal
• Severity: Major

Sophos has released hotfixes to address three critical security vulnerabilities affecting Sophos Firewall products. The vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, could allow attackers to achieve remote code execution and gain privileged system access under specific conditions. Two of the vulnerabilities are rated as critical. CVE-2024-12727 is a pre-authentication SQL injection flaw in the email protection feature that may result in remote code execution. CVE-2024-12728 arises from a weak SSH login passphrase used during High Availability cluster initialization which remains active, potentially exposing a privileged system account. The third, CVE-2024-12729, is a post-authentication code injection vulnerability in the User Portal.

These vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and older. Sophos estimates that CVE-2024-12727 impacts approximately 0.05% of devices, while CVE-2024-12728 affects about 0.5%. Hotfixes have been issued for various versions, including v21 MR1 and newer, and are recommended for all affected users. Users can verify hotfix application by launching the Advanced Shell or Device Console and running specific commands. Sophos recommends restricting SSH access, reconfiguring HA with a strong passphrase, and disabling WAN access via SSH as temporary workarounds while patching.


References :

• securityonline.info: SecurityOnline.info report on Sophos urgent firewall security update
• socradar.io: Sophos Firewall Update Resolves RCE and Privilege Escalation Vulnerabilities (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
• The Hacker News: TheHackerNews report on Sophos fixing 3 critical firewall flaws
• securityaffairs.com: Sophos fixed critical vulnerabilities in its Firewall product
• www.heise.de: Critical vulnerabilities threaten Sophos firewalls Important security updates for Sophos firewalls have been released. They install automatically with the default settings.
• Latest from TechRadar: Sophos flags concerning firewall security flaws, users told to patch now

Classification:

• HashTags: #Sophos #Vulnerability #RCE
• Company: Sophos
• Target: Sophos Firewall users
• Product: Sophos Firewall
• Feature: Remote Code Execution
• Type: Vulnerability
• Severity: Critical

Cybercriminals are increasingly leveraging Scalable Vector Graphics (SVG) files in phishing attacks to circumvent traditional email security measures. Sophos researchers have uncovered this rising threat, noting that attackers use SVG files to distribute malicious links leading to credential theft. These SVG files, commonly used for vector-based images, can contain hyperlinks and scripts within their text-based XML instructions, enabling attackers to embed malicious content directly within the graphics file.

Attackers often employ social engineering tactics in phishing emails, impersonating well-known brands like DocuSign, Microsoft SharePoint, Dropbox, and Google Voice to trick recipients into opening the malicious SVG attachments. When a user clicks the embedded link, they are redirected to a credential-harvesting site disguised as a legitimate login portal. Sophos has observed increasingly sophisticated SVG phishing attacks, including the use of Cloudflare CAPTCHA gates, credential pre-filling, live phishing templates, and JavaScript auto-redirects to further evade detection.


References :

• securityonline.info: Sophos Uncovers Rising Threat of SVG-Based Phishing Attacks
• ciso2ciso.com: Cybercriminals Weaponize Graphics Files in Phishing Attacks – Source: www.infosecurity-magazine.com
• ciso2ciso.com: Ciso2Ciso - Cybercriminals Weaponize Graphics Files in Phishing Attacks

Classification:

• HashTags: #PhishingAttacks #SVGFiles #EmailSecurity
• Company: Sophos
• Target: Email Users
• Attacker: Sophos
• Product: SVG
• Feature: Scalable Vector Graphics
• Type: Phishing
• Severity: Medium