Cyber-security firm Sophos has released an emergency security update to fix a zero-day vulnerability that has been exploited by hackers to drop malware on its XG Firewall devices.
The company said the attack on XG Firewall appliances was uncovered on April 22 after a suspicious field value was discovered in a device’s management interface. Further investigation revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of Sophos’ firewall products.
According to the vendor, the coordinated attack conducted by an unknown threat actor targeted “systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone” with an intention to steal sensitive information from the firewall.
“Customers with impacted firewalls should assume the data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised,” the company said in its initial version of advisory.
In a subsequent report providing technical details about the attack Sophos said that the attacker exploited the SQL injection vulnerability to ins ert a one-line command in to the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.
“The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself. It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands,” the vendor explained.
It appears the malware (which Sophos has dubbed Asnarok) used in the attack is capable of retrieving only firewall resident information such as the firewall’s license and serial number, a list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account, firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password (passwords were not stored in plain text), and a list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.
The company says customers whose firewalls have not been compromised do not need to take any action. Users who are informed that their firewalls have been targeted in this attack are recommended to take additional measures to remediate the issue, which involve resetting device administrator accounts and rebooting XG devices.