Andrew Brandt
π€ SpeakerAppearances Over Time
Podcast Appearances
At a certain point, it just becomes oppressive.
Like, the amount of patching that you have to do and the analysis involved in that and, you know, fixing the firewall takes just as much QA.
You know, it takes time to build things that don't break.
And these are critical β I don't want to say they're critical infrastructure, but they're protecting critical infrastructure β
Yeah, over time, the threat actors were increasingly, they were targeting specific organizations or specific groups.
They had identified who all of the customers were.
in those early attacks because they smacked all of the firewalls at once and grabbed some data.
Well, it turns out that the CyberRome code is the predecessor to the XG Firewall code.
So CyberRome was the company that Sophos bought, and their product became the XG Firewall.
So back in 2018, we're talking about how
the threat actors had stolen the source code, you know, they were using some of that still to find additional vulnerabilities.
At this point, CyberRome and the XG firewall were in parallel operating, but CyberRome was about to be phased out.
And the threat actors found a vulnerability that allowed them to create an admin-level account on the box with just a SQL injection query that was pre-authentication.
So they could just hit the SQL server that was running on the firewall from the outside and run a command that was able to get it to add a user with admin access.
And then they could log in on any cyber room firewall that they wanted to with that credential.
And because the product was close to end of life, Sophos just decided to rush it to end of life and get everybody who was running a Cyber Roam firewall to upgrade to the latest XG.
put that one to bed because it was, it was the point where if we had to start, you know, tracking attack against CyberRome and XG Firewalls, that would have taken the entire, like all of the entire team's resources all the time.