Pine Cove Blog

Hackers target admins when they can't beat Sophos Security

Written by Jace Holyoak | Nov 13, 2018 4:00:00 PM

A cyber-security solution is only as secure as its management is at keeping their login credentials secure. Here is a real world example of how hackers targeted a vulnerable admin into deactivating their Sophos software and then exploited their network to access important assets within a company. The following is an actual instant messaging conversation between a Sophos IT Representative and a Sophos customer:

9:30 AM - IT Representative

Saw I missed a call from you this morning.... I should be around most of the day now if you need anything.

9:33 AM - Sophos Customer

Hey, I was in a moment of panic and you were the first person I thought of... we just got hit BIG TIME ($55K in Bitcoin) by ransomware and I'm calling as I believe our systems were not functioning as advertised...

9:34 AM - IT Representative

Woah! You are running Intercept X, right?

9:34 AM - Sophos Customer

Well.... WE WERE!

After poking around in Sophos Central Admin Console, I realized EVERYTHING was disabled....

EVERYTHING...

Servers "Unlocked”

BASE POLICIES DISABLED

9:36 AM - IT Representative

ahhhh..... Were you 2FA'd ("2FA'd" stands for two-factor authentication, I will describe below)? Cause that's been happening...if the Sophos Central credentials are weak...hacker goes into Central, disables all CIX policies....and then runs their ransomware.

9:37 AM - Sophos Customer

You are right! Local admin login credentials were compromised and it was my account that was used to turn everything off!

The hackers also logged onto our Firewall and deleted all the logs for the time frame of the attack.

9:38 AM - IT Representative

Wow!! Pretty targeted attack.

9:39 AM - Sophos Customer

Yeah! Someone is about to receive $55k in Bitcoin.

Lessons Learned from this Experience

1. Set up Two-Factor Authentication!

Sophos provides two-factor authentication (2FA) via SMS which helps to secure your account even if your login credentials were taken. 2FA via SMS offers several advantages over other multi-factor authentication methods: No need to install and additional app on the user’s smartphone for one-time password generation, or to use a costly hardware token. Contrary to authentication e-mails, an SMS reaches users immediately and exclusively on that user’s personal mobile phone. Furthermore, a successful delivery is signaled immediately, thereby reducing the requisite media disruption to a minimum.

2. Regularly Update your Passwords!

While password policies shouldn't be the driving force in your cyber-security protection, they do play an important role in preventing this type of situation from happening. If the admin would have had a more complex password and regularly updated it, this may not have happened.

You can implement all the next-gen synchronized security solutions in the world but still have holes if you don't secure your login credentials. 2FA and password policies are a must!