Hackers breach Sophos firewalls to steal VPN usernames and passwords
The morning of Saturday the 25th of April, our technicians woke up to see an email in our boxes about a zero-day security breach of Sophos firewalls. A novice might read it and think “another boring security email” – we read it and thought immediately “this isn’t good”.
This was a successful attempt en-masse to steal VPN credentials. You need to let the severity of that soak in for a moment – if a hacker has access to your VPN, they have access to your network – usually with lots of soft targets inside. Many companies have added additional VPN users recently with the current WFH situation, so it was the ideal time for them to strike.
All of us mistakenly tend to operate on the assumption that our firewall will keep us safe, and we don’t need to worry about strong passwords, updates, and security inside our networks – this should be a reminder to everyone this isn’t the case.
Several members of our team spent their Saturday applying hotfixes to the firewalls, determining who got breached, and notifying affected customers to change their VPN passwords. This was a close call. There were several things that worked in our favor:
- Fast response from Sophos, a multi-national security company to analyze the attack and issue a fix.
- The passwords stolen were encrypted, which would slow down the hackers.
- The hackers appeared to be somewhat inept and did not utilize the level of access they obtained to do far nastier things like open firewall ports, do internal networks scans, spread ransomware, or create VPN accounts for themselves.
- Customers using Active directory integration for VPN authentication were not vulnerable to password theft, but they still were vulnerable to firewall compromise.
We are now taking the following steps to secure our managed services clients:
- Requiring you implement multi-factor authentication (MFA) to connect to your VPN. While inconvenient, multi-factor authentication provides another layer of protection if your password gets stolen.
- Turning off the end-user self-service portal from outside your network. This means that if you need to setup or reconfigure your VPN, and you are not in the office, you will need to call or email us to get it turned on for a short period of time.
- MFA setups will occur in scheduled batches, or specific windows of time that will be communicated later.
We realize that some of these things may pose an inconvenience and create extra work for everyone, but hope you will understand their importance. We thank you in advance for your cooperation.