Sophos published a second report about Asnarök attacks on firewalls. One month after hotfixes rolled out, Asnarök attackers twice modified attack midstream. Sophos and its customers have been attacked by an unknown adversary between April 22 and April 26. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products.
The new phase of the attack
Sophos’ internal security teams published a report about this attack. After Sophos issued a hotfix, the attackers panicked and modified their attack routine to replace their original data-stealing payload and deploy ransomware on corporate networks protected by Sophos firewalls. Firewalls that received the hotfix blocked the subsequent attempts to install ransomware.
The hackers were using the zero-day vulnerability to attack the firewall’s built-in PostgreSQL database server and plant malware on the device. The company was named it Asnarök and started to work on hotfixes. Four days after the attack has been discovered, Sophos released hotfixes for XG firewalls.
These hotfixes pushed to all firewalls that had the auto-update option left enabled. The Sophos hotfixes closed off the SQL injection vulnerability to subsequent exploitation, but the company published a second report which says that Asnarök attackers twice modified attack midstream. Sophos said that they have already taken additional steps to intervene that disrupted this phase of the attack.
In the first phase of the attack, attackers inserted a single line of Linux code into a database; the effect being that a shell script named Install.sh was downloaded to, and executed, on the firewall. The new attack has three types:
- EternalBlue: Windows SMB exploits to allow attackers to infect computers on the internal network beyond the firewall.
- DoublePulsar: Windows kernel implant to grant attackers a foothold on computers on the internal network.
- Ragnarok: a crypto-ransomware strain, a less common threat than other ransomware.
Sophos recommends to customers with impacted firewalls to reset passwords and to follow the remediation instructions contained in KBA135412. It is also important to keep machines inside the firewall perimeter up to date.