Jack Rhysider

And this was a really bad bug for Sophos to discover.

Their devices are supposed to be blocking hackers from getting into the network, yet it's the vulnerable device which is allowing hackers into it?

These firewalls weren't just vulnerable.

They all had been hacked into, exploited.

Someone probably scanned the whole internet looking for these particular Sophos firewalls and then ran some kind of automation script to go infect them all.

Hot dog, 80,000 Sophos firewalls hacked into.

But just because someone put a URL in place where it shouldn't be, that's not all that damaging just by itself.

So the team investigated what that URL did, and that's when they started to panic.

The URL would trigger a git request in order to update the Sophos firewall itself.

But what was really weird about it is that

And Sophos didn't own that domain.

So it tried to blend in like it was supposed to be there.

And it fooled many of the people even at Sophos who just figured the update domains changed.

But my goodness, this meant suddenly 80,000 firewalls were looking somewhere else for updates and not to Sophos?

And I don't know if you fully understand what this means.

If a malicious actor is able to send your firewall software updates, then they can put in whatever they want.

They can give themselves full access to the firewall, or they can log all traffic going through it.

They can poke a hole in the firewall and let themselves right into your network.

And then from there, they can just infect your whole network with ransomware.

The thing that is supposed to block unwanted traffic is no longer blocking anything if the attacker wants it that way.