Security Experts:

Connect with us

Hi, what are you looking for?



Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Sophos said it learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. Multiple customers were targeted.

According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. The attackers were apparently trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall.

This data can include usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access. The malware could have also gained access to information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.

“Passwords associated with external authentication systems such as AD or LDAP are unaffected,” Sophos told customers.

Sophos started taking measures shortly after the attack started and it rolled out a SFOS hotfix that patches the SQL injection vulnerability on April 25. Once they have applied the hotfix, users are also informed if their firewall has been compromised as part of this attack.

In a blog post published late on Sunday, Sophos revealed that the attacker exploited the SQL injection vulnerability to insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

Other scripts deployed in the attack were designed to ensure persistence across device reboots and for creating a backup channel.

“The script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself,” Sophos researchers explained. “It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.”

Sophos has dubbed the malware involved in the attack Asnarok and attributed the operation to an “unknown adversary.”

“There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system,” the company explained.

In the initial version of its advisory, Sophos said it had no evidence that the hackers accessed anything on the local networks behind the targeted firewalls, but that sentence was later removed without additional clarifications. The subsequent blog post does say that there is no evidence that the data collected from firewalls was actually exfiltrated.

The cybersecurity firm has published indicators of compromise (IoC) and technical details about the attack. The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack will need to change their passwords on the device.

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.