Sophos fixes firewall bug being actively exploited in SQL injection attacks

Customised 'Asnarok’ malware targeted virtual and physical firewalls to attempt to exfiltrate user information

Hackers have been exploiting a previously unknown vulnerability in Sophos XG devices to launch SQL injection attacks to steal usernames and hashed passwords of user accounts.

The British security firm last week encountered an XG Firewall with a suspicious field value visible in the management interface before launching an immediate investigation that resulted in the discovery of an ongoing attack.

The vulnerability was being exploited through a SQL injection attack, a code injection technique used to attack data-driven services, in which malicious SQL statements are inserted into an entry field for malicious execution.

Sophos released a hotfix for the remote code execution flaw to all users, notifying those whose devices were compromised. 

"The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices," the company said in a post. "It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised."

"The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access."

Further investigation revealed that the culprit was Asnarok malware, which is known to target firewalls. The infection process started when an attacker discovered the zero-day flaw, which allowed them to introduce a one-line command into a database table.

An affected device was then triggered into downloading a Linux shell script from a remote server on a malicious domain, which ran a series of SQL commands and dropped additional field into the virtual file system. This paved the way for the rest of the attack.

A process of shell scripts was activated one after another to bring the attack to a point where the malware downloaded and executed a file named Sophos.dat, which was primarily aimed at exfiltrating data.

The malware aimed to retrieve the contents of various database tables stores in the firewall by running some operating system commands. The malware collected information at each step and then linked this into a file stored on the firewall. The malware then triggered a mechanism to exfiltrate the data.

Information including the firewall’s license and serial number, and a list of the email addresses of user accounts stored on the device as well as the primary email belonging to the administrator’s account. 

Names, user names, encrypted passwords and salted SHA256 hash of the administrator account’s password may have been stolen, as well as a list of user IDs that were allowed to use the firewall for SSL VPN and a ‘clientless’ VPN connection.

Beyond releasing a fix, Sophos has taken a number of steps including blocking domains found in its forensic analysis of the attack, and IP addresses associated with the attack. 

The company has also submitted a CVE request and plans to add the CVE number to its published materials.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021
MacBook users warned against EvilQuest ransomware
ransomware

MacBook users warned against EvilQuest ransomware

19 Feb 2021
Agent Tesla malware evades security controls to infect systems
malware

Agent Tesla malware evades security controls to infect systems

3 Feb 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021