IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sophos fixes firewall bug being actively exploited in SQL injection attacks

Customised 'Asnarok’ malware targeted virtual and physical firewalls to attempt to exfiltrate user information

Virtual security/privacy shield

Hackers have been exploiting a previously unknown vulnerability in Sophos XG devices to launch SQL injection attacks to steal usernames and hashed passwords of user accounts.

The British security firm last week encountered an XG Firewall with a suspicious field value visible in the management interface before launching an immediate investigation that resulted in the discovery of an ongoing attack.

The vulnerability was being exploited through a SQL injection attack, a code injection technique used to attack data-driven services, in which malicious SQL statements are inserted into an entry field for malicious execution.

Sophos released a hotfix for the remote code execution flaw to all users, notifying those whose devices were compromised. 

"The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices," the company said in a post. "It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised."

"The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access."

Further investigation revealed that the culprit was Asnarok malware, which is known to target firewalls. The infection process started when an attacker discovered the zero-day flaw, which allowed them to introduce a one-line command into a database table.

An affected device was then triggered into downloading a Linux shell script from a remote server on a malicious domain, which ran a series of SQL commands and dropped additional field into the virtual file system. This paved the way for the rest of the attack.

A process of shell scripts was activated one after another to bring the attack to a point where the malware downloaded and executed a file named Sophos.dat, which was primarily aimed at exfiltrating data.

The malware aimed to retrieve the contents of various database tables stores in the firewall by running some operating system commands. The malware collected information at each step and then linked this into a file stored on the firewall. The malware then triggered a mechanism to exfiltrate the data.

Information including the firewall’s license and serial number, and a list of the email addresses of user accounts stored on the device as well as the primary email belonging to the administrator’s account. 

Names, user names, encrypted passwords and salted SHA256 hash of the administrator account’s password may have been stolen, as well as a list of user IDs that were allowed to use the firewall for SSL VPN and a ‘clientless’ VPN connection.

Beyond releasing a fix, Sophos has taken a number of steps including blocking domains found in its forensic analysis of the attack, and IP addresses associated with the attack. 

The company has also submitted a CVE request and plans to add the CVE number to its published materials.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021

Most Popular

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs
zero-day exploit

Apple patches 'superpower' zero-days affecting iPhones, iPads, and Macs

18 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Google is now spending a staggering amount on blockchain
Business strategy

Google is now spending a staggering amount on blockchain

17 Aug 2022