Sophos fixes firewall bug being actively exploited in SQL injection attacks

Customised 'Asnarok’ malware targeted virtual and physical firewalls to attempt to exfiltrate user information

Hackers have been exploiting a previously unknown vulnerability in Sophos XG devices to launch SQL injection attacks to steal usernames and hashed passwords of user accounts.

The British security firm last week encountered an XG Firewall with a suspicious field value visible in the management interface before launching an immediate investigation that resulted in the discovery of an ongoing attack.

The vulnerability was being exploited through a SQL injection attack, a code injection technique used to attack data-driven services, in which malicious SQL statements are inserted into an entry field for malicious execution.

Sophos released a hotfix for the remote code execution flaw to all users, notifying those whose devices were compromised. 

"The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices," the company said in a post. "It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised."

"The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access."

Further investigation revealed that the culprit was Asnarok malware, which is known to target firewalls. The infection process started when an attacker discovered the zero-day flaw, which allowed them to introduce a one-line command into a database table.

An affected device was then triggered into downloading a Linux shell script from a remote server on a malicious domain, which ran a series of SQL commands and dropped additional field into the virtual file system. This paved the way for the rest of the attack.

A process of shell scripts was activated one after another to bring the attack to a point where the malware downloaded and executed a file named Sophos.dat, which was primarily aimed at exfiltrating data.

The malware aimed to retrieve the contents of various database tables stores in the firewall by running some operating system commands. The malware collected information at each step and then linked this into a file stored on the firewall. The malware then triggered a mechanism to exfiltrate the data.

Information including the firewall’s license and serial number, and a list of the email addresses of user accounts stored on the device as well as the primary email belonging to the administrator’s account. 

Names, user names, encrypted passwords and salted SHA256 hash of the administrator account’s password may have been stolen, as well as a list of user IDs that were allowed to use the firewall for SSL VPN and a ‘clientless’ VPN connection.

Beyond releasing a fix, Sophos has taken a number of steps including blocking domains found in its forensic analysis of the attack, and IP addresses associated with the attack. 

The company has also submitted a CVE request and plans to add the CVE number to its published materials.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021
Python-based malware steals Outlook files and browser credentials
malware

Python-based malware steals Outlook files and browser credentials

15 Dec 2020
Subway UK customers targeted by Trickbot hackers
hacking

Subway UK customers targeted by Trickbot hackers

14 Dec 2020
Power banks could infect your smartphone with malware
malware

Power banks could infect your smartphone with malware

9 Dec 2020

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021