Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Malicious actors targeting a zero-day vulnerability in Sophos XG Firewall appliances last month attempted to deploy ransomware after Sophos started taking measures to neutralize the attack.

Malicious actors targeting a zero-day vulnerability in Sophos XG Firewall appliances last month attempted to deploy ransomware after Sophos started taking measures to neutralize the attack.

In the incident, which Sophos refers to as Asnarök, adversaries targeted a previously unknown SQL injection vulnerability to insert a one-line command and download a Linux shell script that would execute further commands and drop additional scripts, for persistence and to create a backup channel.

Sophos was alerted shortly after the attack started and immediately took measures, with a patch to address the vulnerability being rolled out within days.

One of the files deployed by the attackers would act as a “dead man switch,” to launch a ransomware attack when a specific file would be deleted on unpatched firewalls during a reboot or power-cycle, the security company reveals.

Because the deployed patches would address the vulnerability and remove malicious code without a reboot, the ransomware attack was not triggered. Realizing that, the adversary decided to change some of the previously deployed shell scripts, and even replaced one of them with the ransomware payload.

“At that point, the attackers intended to deliver the ransomware without requiring the firewall to reboot—but Sophos had already taken additional steps to intervene that disrupted this phase of the attack,” the security company says.

The initial post-exploitation attack would start with one of the scripts deployed in the second stage, which was meant to drop a Linux ELF binary to the filesystem. Acting as the dead man switch, the file was meant to download and execute another shell script named from the website ragnarokfromasgard[.]com, Sophos explains.

The script would perform various tasks, including parsing the contents of the firewall’s ARP cache, where the (internal) IP and MAC addresses of host on the local network are stored. Next, it would use the list to scan for port 445/tcp on the hosts and determine if they were reachable Windows systems.

Furthermore, a file deceptively named “hotfix” would determine whether the machines were running 32-bit or 64-bit Windows, and then attempt to leverage an EternalBlue exploit and DoublePulsar shellcode to deliver and execute a DLL directly into memory (targeting explorer.exe).

The DLL would then attempt to fetch an executable payload from 9sg[.]me over HTTP port 81/tcp. The IP address hosting the domain and serving the hotfix payload was involved in attacks going back to 2018, and is associated with a threat actor known as NOTROBIN.

After realizing that the so-called dead man switch did not work, the attackers replaced a script downloading an exfiltration tool named 2own with a script set up to download an ELF binary that in turn fetched the ransomware. This was done in an effort to move the ransomware up in the attack sequence, Sophos explains.

The ransomware that would be dropped is called Ragnarok and has been connected to various campaigns targeting networked devices, including one targeting Citrix ADC servers.

The security company also notes that the EternalBlue exploit implemented in this attack would only work against unpatched versions of Windows 7.

“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware—is quite different from those of many other threat actors. It was a rare and notable event to observe a Linux ELF application being used to try to spread malware across platforms to Windows computers,” Sophos concludes.

Related: Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Related: Attacker Installs Backdoor, Blocks Others From Exploiting Citrix ADC Vulnerability

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.