Hackers might have deployed a critical exploit to hit more than 4,400 servers which have Sophos Firewall, according to a cybersecurity expert.
The report says that cybercriminals might have taken advantage of the situation by executing a malicious code to the unpatched systems. However, mass exploitation is unlikely to happen at the moment.
Thousands of Sophos Firewall Servers Are Vulnerable
Back in September 2022, Sophos revealed that there was a vulnerability that has a severity rating of 9.8 out of 10. At that time, the team said that CVE-2022-3236 was there to carry out remote code execution to the Sophos Firewalls.
Since vulnerabilities are everywhere, the team encouraged the users to quickly patch their devices so these cyberattacks would be avoided.
However, it seems that despite the warning, over 4,400 servers have been affected by the exploit, VulnCheck wrote in its blog last week.
The security company cited that the incident accounts to roughly 6% of the affected Sophos firewalls. Although they are just in few numbers, some servers might have been further exposed if they remain unpatched to date.
According to Jacob Baines, a researcher from VulnCheck, the percentage of internet servers which have not yet upgraded their Sophos Firewall has hit more than 99%.
"But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator)," he adds.
Baines also says that despite the hotfix, over 4,000 internet-facing firewalls are still deemed to be exposed to the exploit.
Related Article : New Hacker Technique Lets Attackers Disable Antivirus Solutions and Infect the Users Device Anyway
Two Indicators of Potential Compromise
Zero Day Initiative wrote on an advisory that Baines is now searching for a potential solution to address the vulnerability issue for the unpatched systems.
If the firewalls are still not patched, the users should be keen to the two indicators that might lead to the compromise of the servers.
According to a report by Ars Technica, Baines shares that the first indicator lies on the log file which is found at /logs/csc.log while the second one is located at /log/validationError.log.
The clear sign that the vulnerability is exploited is by looking at the login request. If there's a _discriminator field there, most likely that the server has been exploited even if the hacker only attempts to break in.
Security researchers say that mass exploitation won't take place here since in order to carry out the big operation, there's a need to bypass the authentication.
This means that a failed CAPTCHA will definitely resort to the failure of exploiting the server. If the hackers want to enter the system, they need to program the CAPTCHA, but it would mean another task to overcome.