Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

4/27/2020
05:25 PM
100%
0%

Attackers Target Sophos Firewalls with Zero-Day

Remote exploit compromises specific configurations of XG firewalls with the intent of stealing data from the devices.

Security firm Sophos acknowledged "a coordinated attack by an unknown adversary" that compromised the company's XG firewall products using a previously unknown SQL injection vulnerability, according to an advisory published on April 27.

The attack, which took place five days earlier, targeted "multiple customers" whose firewalls had been configured with the administrative or user portal exposed to the Internet, and which had a firewall service, such as an SSL VPN, exposed to the Internet on the same port. While these settings are not the default configuration, companies struggling with remote workers may have been more likely to configure their firewall to allow remote administration and could have placed services on the same interface as the administrative portal.

The attack began midday on April 22, and by early morning of the following day, Sophos had determined that multiple customers' firewalls had been compromised by the exploit, resulting in its response escalating to a "major incident process," the company stated in its advisory.

"Sophos immediately began an investigation that included retrieving and analyzing the artifacts associated with the attack," a Sophos spokesperson said in an e-mail interview with Dark Reading. "After determining the components and impact of the attack, Sophos deployed a hotfix to all supported versions."

Because of the hotfix, companies can look for alerts on their firewall's Control Center dashboard to determine if their appliance had been targeted, Sophos said in its advisory.

In a separate analysis, Sophos revealed the results of its investigation. Once a firewall had been compromised, the attackers ran a series of shell scripts to install executable files designed to run on the firewall's operating system, starting with a shell script install.sh. The script attempted to install two other programs, one of which was designed to make the attack persistence. The script also attempted to conceal its activities, but — because of poor design — actually made it more noticeable, Sophos said.

"This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall," the company said.

The malware appeared to be focused on data exfiltration. While the attack had capabilities to exfiltrate data from infected firewall appliances, Sophos had "not discovered any evidence that the data collected had been successfully exfiltrated," the company said in its analysis. The scripts focused on copying the contents of specific database tables from the firewall and then appended the collected information to a file on the firewall.

The attack appeared quite sophisticated, but a Sophos spokesperson said "it is too early to tell who is behind the attack," while the company continues to investigate.

Sophos is not the first security company to suffer a targeted attack against its products. In May 2019, a group of hackers claimed to have stolen source code from Trend Micro, McAfee and Symantec. Only Trend Micro confirmed the breach, while Symantec denied that the company had suffered a compromise.

In 2017, attackers compromised the development systems of Piriform — recently purchased by security firm Avast — and installed a malicious backdoor into the code of its system utility, CCleaner. The group behind the attack appeared to be a Chinese government-linked APT group, according to analysis.

In the latest attack on a security firm, Sophos stated that it is not aware of any subsequent attempts to use the beachhead in customers' firewalls to extend access to customers' systems. The malware installed by the attackers is designed to collect public IP addresses and the firewall's license key, as well as get SQL user account information, a hash of the administrator's password, and information on policies. The software will compress the data and send it back to the attacker over an encrypted connection.

The company urged its customers to harden their firewall configurations and not expose the administrative interface or user portal to the Internet.

"Although we have remediated this vulnerability, it is always a good idea to reduce attack surface wherever possible by disabling HTTPS Admin Services and User Portal access on the WAN interface," the company states in its advisory.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
blueboxschematic
50%
50%
blueboxschematic,
User Rank: Apprentice
4/28/2020 | 12:41:28 PM
The Sophos Breakdown of Asnarok
Sophos breaks the attack down with great detail: news.sophos.com/en-us/2020/04/26/asnarok/

The good news is you can reference the list of URLs used in the attack and immediately guard against access to these sites, at least. While updated versions of the trojan may point to other domains, it's a start. Additionally they provide a comprehensive file list that can be used for system scans of malicious files.

Because this SQL injection attack will have been patched against already in a hotfix, the biggest issue currently is the Sophos user base that does not have automatic updates enabled. Opening themselves up to the Asnarok attackers will not only provide access to data for as long as their Sophos installs remain unpatched, they offer a testbed for modifications to the code that could allow bypassing any changes made in the hotfix.

 

 

 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...