Hackers Mount Zero-Day Attacks on Sophos Firewalls
By Tara Seals
A pre-auth SQL injection bug leading to remote code execution is at the heart of a data-stealing campaign against XG firewalls, using the Asnarok trojan.
Attackers have been targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, according to the security firm – with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.
Sophos said in a posting updated on Monday that the bug in question is a pre-authentication SQL injection vulnerability (a CVE is forthcoming) that leads to remote code execution (RCE). It affects systems configured with either the administration interface (called the “HTTPS admin service”) or the user portal exposed to the WAN zone.
“In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or user portal were also affected,” the firm explained. “For reference, the default configuration of XG Firewall is that all services operate on unique ports.”
If hackers were able to access an exposed XG device, the Asnarok trojan was then installed, which is designed to exfiltrate data housed on the XG firewall itself. Sophos said that the sample is an ELF binary executable malware that has been specifically compiled for a firewall operating system.
“The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts,” Sophos noted. “For example, this includes local device admins, user portal accounts and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.”
Sophos issued a hotfix this week for the issue.
Initial Compromise: A Chain of Linux Scripts
The attack consists of a chain of Linux shell scripts, the firm said, hosted on an innocuous-sounding yet malicious domain, sophosfirewallupdate[.]com.
“There was significant orchestration involved in the execution of the attack,” according to Sophos.
The kill chain begins with the SQL injection exploit, which allows the attackers to insert a one-line command into a database table on a targeted device, according to a Sunday technical analysis from Sophos. That injected command triggers a download of the first Linux shell script, named Install.sh, from the remote server.
This shell is written to the appliance as “x.sh” and is also placed in the /tmp directory. This turns out to be an installer script that goes on to drop two completely new shell scripts, and it also modifies an existing operating-system script in a bid for persistence.
The first of the new shell scripts is named .lp.sh installed by x.sh connects to the sophosfirewallupdate site, to download a Linux ELF executable file, named lp. Ip is also written to /tmp with a filename of b.
“The b program, when run, deletes itself from the filesystem of the device, so it is only present in memory,” Sophos explained. “Then, it repeats a series of tasks every three to six hours.”
The first of these tasks is to connect to the IP address 18.104.22.168. If that fails, it tries the malicious domain sophosproductupdate[.]com. If successful, then downloads another Linux ELF executable called Sophos.dat.
The second of the dropped shell scripts is written to the /tmp directory with a filename of .pg.sh. It goes on to download a second, different ELF executable, called bk on the webserver and written to the filesystem with the name .post_MI.
The initial Install.sh script also runs a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, Sophos noted. One of these commands modifies a specific service value entry so that .post_MI executes whenever that service executed.
“The Install.sh script…modified at least one shell script that is part of the firewall’s operating system to add a set of commands to the end of the script,” according to the writeup. “This last script, in particular, is relevant because the malware modified services to ensure it ran every time the firewall booted up; it served as a roundabout persistence mechanism for the malware.”
Asnarok Trojan: Stealing XG Firewall Data
The file called Sophos.dat, saved to the filesystem as 2own, is actually the ultimate payload in the kill chain – the Asnarok trojan, first detailed in the Sophos analysis this weekend.
“This malware’s primary task appeared to be data theft, which it could perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands,” according to Sophos research.
Asnarok first retrieves the public-facing IP address where the firewall was installed, using public search engines like “ifconfig.me” and “checkip.dyndns.org.” Next, it retrieves information about the firewall and its users from different storage areas on the firewall.
Sophos said that this data includes: The firewall’s license and serial number; a list of the email addresses of user accounts that were stored on the device; the primary email belonging to the firewall’s administrator account; firewall users’ names, usernames, encrypted passwords and the salted SHA256 hash of the administrator account’s password; a list of the user IDs permitted to use the firewall for SSL VPN; and a list of accounts permitted to use a “clientless” VPN connection.
The malware also gathered data on the appliance itself: The version of the operating system; the type of CPU and amount of memory present on the device; how long it has been operational since the last reboot (the ‘uptime’); and the output of the “ifconfig” and “ARP” tables, Sophos said.
The data is collected into a temporary file on the firewall with the name Info.xg, compressed, encrypted with OpenSSL and then earmarked for upload to the IP address 22.214.171.124. In a final step, Asnarok deletes the files that it temporarily created while it collected the information.
The firm said that it hasn’t seen evidence that the collected data was successfully exfiltrated from victimized systems. Threatpost has reached out for more information on the number of targeted systems and any other information about the scope of the attack.
Users that don’t have automatic updates enabled on their firewalls can enable them in order to receive the hotfix. Sophos meanwhile said that it has blocked the domains and IP addresses associated with the campaign.