Hackers tried two methods in Sophos’ XG firewall to exploit a zero-day vulnerability but Sophos claims it made a temporary patch that mitigated the risks.
Attackers initially tried to plant a Trojan in networks by exploiting the zero-day vulnerability but then switched to ransomware, Sophos said.
Sophos noted in a Thursday update that XG firewalls that received a hotfix could block the attacks including the ransomware that the company described as Ragnarok. This crypto-locking malware was first discovered in January, when security firm FireEye published a study about it, noting that its operators at the time were attempting to take advantage of the vulnerabilities in Citrix’s ADC and Gateway servers.
“Ragnarok is a less popular threat than other ransomware, and it seems that the modus operandi of this threat actor-and the tooling they use to deliver this ransomware-is somewhat different from that of many other threat actors,” says Sophos.
Sophos observed the first wave of such attacks between April 22 and 26, when the hackers tried to take advantage of a zero-day weakness in XG firewall products with SQL injections.
That vulnerability, tracked as CVE-2020-12271, has enabled attackers to target the built-in PostgreSQL database server for the firewall. According to Sophos, this vulnerability will then enable hackers to insert a single line of Linux code into databases enabling them to plant malware inside compromised networks.
The attackers tried to plant a Trojan called Asnarök, which helps threat actors to steal user names and hash passwords, says Sophos.
Once the attacks occurring in April started to be detected by Sophos researchers, the company rushed out a temporary patch to its clients to prevent the hackers from taking advantage of the vulnerability. The company also recommended rebooting its firewalls and changing administrative settings and passwords for its customers.
After Sophos released an warning to customers about the April security incident, according to Thursday’s update the hackers then tried to switch tactics.
The hackers left behind what Sophos calls a “backup channel” and other malicious files during the initial attacks in April, which would allow the attackers to re-enter a network if they had been detected and blocked.
“It would have happened if the Sophos hotfixes had rebooted or power-cycled a firewall which had not been remediated,” Sophos states. “If the file was deleted, the new use of the backup channel was intended at an indeterminate time in the future to initiate a ransomware attack.”
Once Sophos blocked the first hotfix firewall attack, the hackers tried to exploit the vulnerability of EternalBlue in older versions of Microsoft Windows and the DoublePulsar backdoor malware to re-enter networks and plant the Ragnarok ransomware, according to the update, says Sophos.
According to Sophos, the hotfix stopped the hackers from executing this newer attack because it disabled the malicious data. However, organizations with XG firewalls with turned off auto-update functionality, may have been infected. In these instances, the patch will have to be manually applied.
Sophos cautioned that attackers target network edge devices, such as firewalls, to move devices that contain more valuable data to endpoint.
“This incident illustrates the need to keep devices up to date within the boundaries of the firewall, and acts as a warning that any [Internet of Things] system may be misused as a foothold for accessing Windows machines,” Sophos says.