Sophos announced that the company started an investigation, after receiving a report on April 22, and the results show that the attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. Additionally, firewalls manually configured to expose a firewall service to the WAN zone that shares the same port as the admin or user portal were also affected.
Pre-auth SQL injection vulnerability
Sophos stated that the attackers used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. The attack aimed to exfiltrate XG Firewall-resident data and The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts.
Shortly after, Sophos launched a hotfix to all supported XG Firewall/SFOS versions. This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack. Sophos also stated that for uncompromised XG Firewall devices, no additional steps are required and for the compromised XG Firewall devices published a short guide fully remediate the issue.