First published: 11th April 2012
Sophos has notified its distributors and resellers that suspicious activity was detected on the Sophos Partner Portal and, as a precautionary measure, the site has been shut down and a full security audit launched.
The suspicious activity was detected on Tuesday, 3rd April and reported to Sophos' business partners on 5th April. The attacker attempted to upload two attack tools, one to steal passwords, and the other to escalate privileges, but was blocked by Sophos Endpoint Security. Nevertheless, Sophos considered the attempt serious enough to take the portal offline and image the system for forensic analysis and to run copies in their secure lab to further understand the attack.
To reassure partners, Sophos emphasised that the database attacked was not designed to hold financial data, but they scanned for any banking details (credit cards, sorting codes, account numbers, etc.) lurking in the fields anyway, and found none. There will also be forced password resets when the system comes back online.
On 10th April, Sophos updated their report, saying that, following a hardware failure, misconfiguration of security settings on a standby server allowed the attacker to locate and exploit a vulnerability.
This incident again shows the value of defence in depth: a mistake or vulnerability in one system is covered by a complementary defence. Any security incident is hugely embarrassing for a security company, but it is only openness when an incident occurs that can give confidence that serious problems are not being swept under the carpet.