A previously unknown SQL injection vulnerability in the Sophos XG Firewall gave hackers access to customers’ local usernames and hashed passwords for several days.
The Abingdon, U.K.-based platform security vendor said it learned late Wednesday of an attack against its physical and virtual XG Firewall units when a suspicious field value was discovered inside the device’s management interface. The attack affected multiple customers, and was aimed at systems with either the administrative service or the user portal exposed to the internet, according to Sophos.
“The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices,” Sophos wrote in an advisory updated today. “It was designed to exfiltrate XG Firewall-resident data.”
The exposed data included usernames and hashed passwords for local device administrators, user portal accounts, and accounts used for remote access, the company said. The malware could have also gained access to the firewall’s license and serial number, a list of the email addresses that were stored on the device, and a list of the user IDs permitted to use the firewall, according to a blog post Sunday.
Sophos has named the zero-day malware used in the attack Asnarok, and said the coordinated attack was carried out by an unknown adversary. The company said it has not discovered any evidence that data had been successfully exfiltrated.
The execution of the attack required significant orchestration, relying on a chain of Linux shell scripts that eventually downloaded malware compiled for a firewall operating system, according to the company. The attack targeted Sophos products and was apparently intended to steal sensitive information from the firewall, the company said.
The company said it began an investigation immediately after the attack that included retrieving and analyzing artifacts. After determining the components and impact of the attack, Sophos on Saturday deployed a hotfix that patched the SQL injection vulnerability.
The hotfix prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack, according to Sophos. The hotfix includes a message on the XG management interface to indicate whether or not a specific XG Firewall was affected by this attack, Sophos said.
Customers with uncompromised XG Firewall devices do not need to take any additional steps, according to Sophos. Clients with compromised XG Firewall devices that received the hotfix should reset passwords for all local user accounts as well as any accounts where the XG credentials might have been reused, Sophos said.
By exploiting the SQL injection vulnerability, Sophos said the attacker could insert a one-line command into the firewall database. This command caused affected devices to download a Linux shell script named Install.sh from a remote server, according to the company’s blog post Sunday.
The script ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack. Other scripts present in the malware provided persistence by starting the malware at every reboot, and made a backup copy of the original script before modifying the original script to append code to the file.
“The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database,” Sophos said. “It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel.”