Connect with us

Hi, what are you looking for?



Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances.

Sophos said it learned about attacks targeting its XG firewall on April 22 after a suspicious field value was discovered in a device’s management interface. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls. Multiple customers were targeted.

According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. The attackers were apparently trying to exploit the security hole to download malware that would allow them to exfiltrate data from the firewall.

This data can include usernames and password hashes for the local device administrators, portal admins, and user accounts set up for remote access. The malware could have also gained access to information about the firewall, email addresses of accounts stored on the appliance, and information on IP address allocation permissions.

“Passwords associated with external authentication systems such as AD or LDAP are unaffected,” Sophos told customers.

Sophos started taking measures shortly after the attack started and it rolled out a SFOS hotfix that patches the SQL injection vulnerability on April 25. Once they have applied the hotfix, users are also informed if their firewall has been compromised as part of this attack.

In a blog post published late on Sunday, Sophos revealed that the attacker exploited the SQL injection vulnerability to insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

Other scripts deployed in the attack were designed to ensure persistence across device reboots and for creating a backup channel.

Advertisement. Scroll to continue reading.

“The script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself,” Sophos researchers explained. “It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.”

Sophos has dubbed the malware involved in the attack Asnarok and attributed the operation to an “unknown adversary.”

“There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system,” the company explained.

In the initial version of its advisory, Sophos said it had no evidence that the hackers accessed anything on the local networks behind the targeted firewalls, but that sentence was later removed without additional clarifications. The subsequent blog post does say that there is no evidence that the data collected from firewalls was actually exfiltrated.

The cybersecurity firm has published indicators of compromise (IoC) and technical details about the attack. The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack will need to change their passwords on the device.

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...