Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Cyberoam Firewall Flaw

A researcher, who wishes to remain anonymous, has disclosed a flaw in Cyberoam firewall appliances. The vulnerability allows an attacker to remotely gain root-level permissions by sending malicious commands across the Internet. The attack takes advantage of the web-based user interface that sits on top of the Cyberoam firewall. Once an attacker successfully exploits this flaw, the attacker can access the entire company network. Cyberoam is typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employee access while keeping unauthorized connections out. These devices filter out bad traffic and prevent denial of service and other network-based attacks. It also includes Virtual Private Networking (VPN) which allows employees to log in to their company’s network remotely. Sophos, which purchased Cyberoam in 2014, released an advisory this week stating that they are rolling out fixes. According to the anonymous researcher, an attacker would only need an IP address of a vulnerable device. Finding devices is quite easy: The search engine Shodan currently lists around 96,000 devices accessible to the Internet, while other search engines put that number even higher. A Sophos spokesman made the following statement: “Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Analyst Notes

Users of the Cyberoam firewall are urged to enable the auto-update feature so that security patches are kept up to date. Cyberoam can be manually updated; manual update instructions can be found on the company’s website. Sophos also stated that a new fix will be included in the next update of the Cyberoam operating system. Binary Defense recommends that companies practice defense-in-depth, which includes continuous monitoring for unusual behavior on servers and workstations inside a corporate network. Defense-in-depth protects networks and computers by layering multiple security features to be effective even when an outer defense such as a firewall fails or is used as an attack vector. Binary Defense analysts are dedicated to protecting our clients by detecting attacker behaviors on internal computers and by finding stolen or damaging information on the dark web.