Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Hackers attempted to exploit a zero-day flaw in the Sophos XG firewall to distribute ransomware to Windows machines, but the attack was blocked.

Threat actors attempted to exploit a zero-day (CVE-2020-12271) in the Sophos XG firewall to spread ransomware to Windows machines, the good news is that the attack was blocked by a hotfix issued by Sophos.

At the end of April, cybersecurity firm Sophos has released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

Sophos was informed of the attacks exploiting the zero-day issue by one of its customers on April 22. The customer noticed “a suspicious field value visible in the management interface.”

Sophos investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.” reads the advisory published by Sophos.

“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” “Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”

The hackers exploited the SQL injection flaw to download malicious code on the device that was designed to steal files from the XG Firewall.

Hackers exploited the issue to install the Asnarök Trojan that allowed the attackers to steal files from the XG Firewall and use the stolen info to compromise the network remotely.

The Trojan could be used to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Login credentials associated with external authentication systems (i.e. AD, LDAP) are not impacted by the flaw.

According to a report published by Sophos at the end of April, the malware employed in the attack is able to retrieve firewall resident information, including:

• The firewall’s license and serial number
• A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
• Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
• A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

Below the attack scenario described by Sophos:

Sophos pushed a hotfix to the firewalls after the discovery of the attacks.

This hotfix eliminated the SQL injection vulnerability, stopped the XG Firewall from accessing any infrastructure under the control of the attacks, and cleaned up any remnants from the attack.

Sophos’s update also added a special box in the XG Firewall control panel to allow users to determine if their device has been compromised.

In the new wave of attacks, hackers exploited the issue to distribute the Ragnarok Ransomware.

“Since we published our first report, the attackers first modified their attack to attempt to use what we previously described as the “backup channel.” This was a Linux shell script that served as a dead man switch—a portion of the attack intended to trigger only under certain circumstances; in this case, if a specific file the attackers created during the attack gets deleted.” continues the report.

To deploy the Ragnarok ransomware, attackers attempted to leverage the EternalBlue and DoublePulsar exploits.

“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware—is quite different from those of many other threat actors. It was a rare and notable event to observe a Linux ELF application being used to try to spread malware across platforms to Windows computers.” concludes the report.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Sophos XG firewall, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]