Users of a widely used Sophos firewall were subjected to a zero-day attack aimed at stealing user names, cryptographically protected passwords and other confidential data, officials from the security company said on Sunday.
The well-researched and developed attack exploited an SQL injection error in fully patched versions of the Sophos XG firewall. With this component in systems, a number of scripts were downloaded and installed, which ultimately ran code that should differ with user names, user names, the cryptographically hashed form of the passwords and the salted SHA256 hash of the password of the administrator account. Sophos has released a hotfix that reduces the vulnerability.
Other data targeted by the attack included a list of IP address assignment privileges for firewall users. the version of the custom operating system that is running; the type of CPU; the amount of memory that was available on the device; How long has it been since the last restart? the output of ifconfig, a command line tool; and ARP tables used to translate IP addresses into domain names.
"The main task of this malware appeared to be data theft, which could be accomplished by retrieving the contents of various database tables stored in the firewall and executing some operating system commands," wrote Sophos researchers in the Sunday publication. "At every step, the malware gathered information and then linked it to a file that was temporarily stored in the firewall under the name Info.xg."
The exploits also downloaded malware from domains that appeared legitimate. To avoid detection, some of the malware deleted the underlying files that they were running and only ran in memory. The malicious code uses a creative and cumbersome method to ensure that it runs every time firewalls are started. These characteristics strongly suggest that the threat actors have spent weeks or months laying the groundwork for the attacks.
The attack showed that the attackers had detailed knowledge of the firewall that could only have come from someone who had access to the software that was likely to require a license. From there, the attackers carefully examined the firewall to find the inside that allowed downloading and installing malware using names that were very similar to the names of legitimate files and processes.
The data for which the malware was developed suggests that the attack should allow attackers to use phishing attacks and unauthorized access to user accounts to further penetrate the organizations that used the firewall, and possibly targeting on firewalls or end users. The Sophos post said there was no evidence that the data extractions were successful, but it also did not rule out this possibility.
The zero-day vulnerability that allowed the attacks was a pre-authentication SQL injection error found in the firewall's custom operating system. Sophos has not provided additional details about the vulnerability. SQL Injection takes advantage of errors that execute malicious code over strings that are entered into forms that are contained on a vulnerable website. The errors are the result of an error filtering out commands. Pre-authentication means that the attacker did not have to provide credentials to transmit execution code.
Users of vulnerable firewalls should install the hotfix as soon as possible and then examine their systems for signs of compromise, which were published in the aforementioned post here.