Search This Blog

Showing posts with label Sophos. Show all posts

Deceased User's Accounts used by Nefilim Ransomware Actors


Recently we are witnessing that the Ransomware operators are teaming up to exchange software and infrastructure to further accelerate the operation of leakage and extortion that harms the victims of such attacks. One such ransomware is Nefilim. 

Nefilim also known as Nemty has emerged in 2020 as a new category onto the list of ransomware strains, here if the victims do not pay the ransom, Nefilim threatens to reveal information to the public; it has its own leaks platform called Corporate Leaks and is located in the TOR node. 

As stated by Michael Heller, a researcher at Sophos, the Rapid Response is a 24/7 service provided by Sophos that helps organizations to detect and neutralize the active threat by actors as soon as possible. Lately, a company that has been attacked with the Nefilim ransomware, reached out to the Rapid Responses by Sophos for help. In the incident reported by the company, a ransomware attack from Nefilim locked up more than 100 systems stemmed from the unregulated account compromised of an employee who died three months ago. The attackers traveled silently through the network, stole the domain admin keys, then located and filtered hundreds of GB of data prior to unleashing any malware that exposes the existence of such data. The account was obviously held deliberately as it was used for utilities, so the Rapid Response team had to determine which acts were legit and which were deceptive from that account. 

Nefilim ransomware replaces the initial files with encrypted copies, nearly all the big ransomware, making recovery difficult without either a decryption key or a recent backup. As soon as the Customer contracted Sophos, the Rapid Response Team took steps to load security into any applications that they might use, to guarantee that all the security measured required were added to systems that had already been implemented by Sophos and to find evidence about how and where the invading processes started and what could have been stolen. 

 As stated by Michael Heller, the latest victim of the attack was compromised by exploiting vulnerable versions of the Citrix Software, after which the actors gained access to the domain key or the domain admin account using Mimikatz. Well in general the actor can gain access either by Citrix Software or by Remote Desktop Protocol. 

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” stated, Peter Mackenzie, manager of Rapid Response. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”

Cybersecurity Company Sophos Hit By Data Breach Attack, Company Informs Customers


A data breach attack recently hit Sophos, a Uk based cybersecurity company. The company currently has notified its customers regarding the data attack via mail, which the company suffered last week. The leaked information includes user names, emails, and contact numbers. According to Sophos, only a small number of customers were affected by the data breach. The spokesperson says that a "small subset" of customers was affected; however, not providing any further details. 

Earlier this week, the company was informed of an access permission problem in a tool. The tool contains customers' information who contact Sophos support. The company said this in an email sent to its customers. 

The company says that it came to know about the issue through an expert and had fixed the misconfiguration as soon as it was reported. According to Sophos, customer privacy and safety is their topmost priority. It is currently contacting all impacted customers. 

Besides this, the company has implemented preventive measures to ensure that permission settings are not exploited. The data breach is the second cybersecurity incident that Sophos suffered this year. 

In April, a quite similar incident happened where hackers found and exploited a zero-day XG Firewall in Sophos and attacked companies worldwide. The hackers used Asnarok malware, but when the vulnerability was exposed, they shifted to ransomware and failed eventually. 

The email reads, "On November 24, 2020, Sophos was advised of an access permission issue in a tool used to store information on customers who have contacted Sophos Support. As a result, some data from a small subset of Sophos customers was exposed. We quickly fixed the issue. Your information was exposed, but due to remediation measures we have taken, your data is no longer exposed. Specifically, first name, last name, email address, and, where provided, a contact phone number. 

There is no action that you need to take at this time. At Sophos, customer privacy and security are always our top priority. We are contacting all affected customers. Additionally, we are implementing additional measures to ensure access permission settings are continuously secure. "

Hackers abuse Sophos Firewall Zero Day Vulnerability

Sophos, a UK cybersecurity company famous for its anti-virus products has released an emergency security update this Saturday to combat a Zero-Day vulnerability exploited by hackers in its XG enterprise firewall product.

They became aware of the vulnerability on Wednesday after one of their customers reported "a suspicious field value visible in the management interface." And they released an update containing the patch for the vulnerability.

The Vulnerability- SQL INJECTION BUG

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said.

The miscreant hackers attacked Sophos XG Firewall devices whose administration or user portal control panel were exposed on the internet. The hackers used the SQL Injection Vulnerability in XG firewall devices and downloaded a play-load on the device to steal data like passwords and usernames for the firewall device admin, portal admins, and user accounts for remote access, the firewall's license and serial number.

Sophos says that during its investigation, it did not find any proof that the hackers accessed anything beyond the firewall as well as no devices were accessed by the malware. They named the malware Asnarok.

 Patches already updated in user devices 

The company already pushed the patches in an automatic update in all XG Firewall devices that had the auto-update feature enabled. "This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack," it said. The update also shows a message to the user if their device was compromised or not in their Firewall control panel.

Sophos recommends some steps to take for the companies who had their device hacked mainly focused on resetting passwords and reboots:

  1.   Reset portal and device administrator accounts.
  2.   Reboot the infected firewall device. 
  3.   Reset all passwords of user accounts.

"Sophos also recommends that companies disable the firewall's administration interfaces on the internet-facing ports if they don't need the feature", writes zdnet.