Sophos fixes firewall bug being actively exploited in SQL injection attacks

Customised 'Asnarok’ malware targeted virtual and physical firewalls to attempt to exfiltrate user information

Hackers have been exploiting a previously unknown vulnerability in Sophos XG devices to launch SQL injection attacks to steal usernames and hashed passwords of user accounts.

The British security firm last week encountered an XG Firewall with a suspicious field value visible in the management interface before launching an immediate investigation that resulted in the discovery of an ongoing attack.

Advertisement - Article continues below

The vulnerability was being exploited through a SQL injection attack, a code injection technique used to attack data-driven services, in which malicious SQL statements are inserted into an entry field for malicious execution.

Sophos released a hotfix for the remote code execution flaw to all users, notifying those whose devices were compromised. 

"The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices," the company said in a post. "It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised."

"The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access."

Further investigation revealed that the culprit was Asnarok malware, which is known to target firewalls. The infection process started when an attacker discovered the zero-day flaw, which allowed them to introduce a one-line command into a database table.

Advertisement - Article continues below
Advertisement - Article continues below

An affected device was then triggered into downloading a Linux shell script from a remote server on a malicious domain, which ran a series of SQL commands and dropped additional field into the virtual file system. This paved the way for the rest of the attack.

A process of shell scripts was activated one after another to bring the attack to a point where the malware downloaded and executed a file named Sophos.dat, which was primarily aimed at exfiltrating data.

The malware aimed to retrieve the contents of various database tables stores in the firewall by running some operating system commands. The malware collected information at each step and then linked this into a file stored on the firewall. The malware then triggered a mechanism to exfiltrate the data.

Information including the firewall’s license and serial number, and a list of the email addresses of user accounts stored on the device as well as the primary email belonging to the administrator’s account. 

Advertisement - Article continues below

Names, user names, encrypted passwords and salted SHA256 hash of the administrator account’s password may have been stolen, as well as a list of user IDs that were allowed to use the firewall for SSL VPN and a ‘clientless’ VPN connection.

Beyond releasing a fix, Sophos has taken a number of steps including blocking domains found in its forensic analysis of the attack, and IP addresses associated with the attack. 

The company has also submitted a CVE request and plans to add the CVE number to its published materials.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020