British security software and hardware company Sophos has published an update regarding its investigation into recent cyber attacks where threat actors were attempting to exploit an SQL-injection flaw (CVE-2020-12271) in its XG Firewall devices to deploy Asnarök malware. This trojan was used to steal data from the firewall that could have allowed the attackers to compromise the network remotely.

According to Sophos, after the company issued hotfix to remediate the issue, attackers modified their attack routine to replace their original data-stealing payload and deploy ransomware on Windows machines in corporate networks with Sophos firewalls installed.

“In the hours after Sophos issued hotfixes that secured firewalls targeted by unknown threat actors, the attackers pivoted to a new phase of the attack, adding new components—including files intended to spread ransomware to unpatched Windows machines inside the network. Unfortunately for the threat actors, the hotfixes also prevented the subsequent attempted attacks,” Sophos said.

The original attacks took place in late April this year. In a report published at the time the company said the attackers had identified and exploited the SQL injection vulnerability to insert a one-line command in to the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

In the new report Sophos revealed that after learning of the hotfix the attackers began to alter their scripts on hacked firewalls to use a 'dead man switch' (a Linux shell script) that would trigger the ransomware attack in case if a specific file attackers created was deleted, or if the firewall was rebooted. Sophos blocked this attack by deleting the malicious scripts and applications, which prompted the attackers to change their plans once again.

In the new attack, threat actors attempted to deploy Ragnarok ransomware to vulnerable Windows machines on the network using EternalBlue exploit (Windows SMB exploit to allow attackers to infect computers on the internal network beyond the firewall) and DoublePulsar implant, which is a Windows kernel implant that can be used to gain a foothold on computers on the internal network.

“The EternalBlue exploit, as implemented by the attackers in this attack, cannot infect computers running Windows 8.1 or Windows 10. The attack only succeeds against computers running older, unpatched versions of Windows 7. As a matter of course, Sophos urges everyone to patch any vulnerable machines on their network,” Sophos said.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines,” the company added.