IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Sophos fixes firewall bug being actively exploited in SQL injection attacks

Customised 'Asnarok’ malware targeted virtual and physical firewalls to attempt to exfiltrate user information

Virtual security/privacy shield

Hackers have been exploiting a previously unknown vulnerability in Sophos XG devices to launch SQL injection attacks to steal usernames and hashed passwords of user accounts.

The British security firm last week encountered an XG Firewall with a suspicious field value visible in the management interface before launching an immediate investigation that resulted in the discovery of an ongoing attack.

The vulnerability was being exploited through a SQL injection attack, a code injection technique used to attack data-driven services, in which malicious SQL statements are inserted into an entry field for malicious execution.

Sophos released a hotfix for the remote code execution flaw to all users, notifying those whose devices were compromised. 

"The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices," the company said in a post. "It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised."

"The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access."

Further investigation revealed that the culprit was Asnarok malware, which is known to target firewalls. The infection process started when an attacker discovered the zero-day flaw, which allowed them to introduce a one-line command into a database table.

An affected device was then triggered into downloading a Linux shell script from a remote server on a malicious domain, which ran a series of SQL commands and dropped additional field into the virtual file system. This paved the way for the rest of the attack.

A process of shell scripts was activated one after another to bring the attack to a point where the malware downloaded and executed a file named Sophos.dat, which was primarily aimed at exfiltrating data.

The malware aimed to retrieve the contents of various database tables stores in the firewall by running some operating system commands. The malware collected information at each step and then linked this into a file stored on the firewall. The malware then triggered a mechanism to exfiltrate the data.

Information including the firewall’s license and serial number, and a list of the email addresses of user accounts stored on the device as well as the primary email belonging to the administrator’s account. 

Names, user names, encrypted passwords and salted SHA256 hash of the administrator account’s password may have been stolen, as well as a list of user IDs that were allowed to use the firewall for SSL VPN and a ‘clientless’ VPN connection.

Beyond releasing a fix, Sophos has taken a number of steps including blocking domains found in its forensic analysis of the attack, and IP addresses associated with the attack. 

The company has also submitted a CVE request and plans to add the CVE number to its published materials.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
ION Trading reportedly pays LockBit ransom demands

ION Trading reportedly pays LockBit ransom demands

6 Feb 2023
Tips for Boosting your Organisation’s Security Posture with Encryption

Tips for Boosting your Organisation’s Security Posture with Encryption

6 Feb 2023