Threat Actors Are Exploiting a Sophos Firewall Zero-Day Vulnerability

The cybersecurity company Sophos published an emergency update last week, patching zero-day vulnerability in the XG firewall product that was being targeted by hackers. Sophos shared that they learned of the vulnerability on April 22, after they had a report from one of their customers. The customer spotted a suspicious value visible in the management interface. That led to Sophos investigating the report, believing this was an attack and not an error in the software.

Hackers abused an SQL injection bug.

The attack was using a previously unknown SQL injection vulnerability to gain access to exposed XG devices, according to Sophos. Hackers were targeting the Sophos XG Firewall devices that had their HTTPS administration service or their User Portal control panels exposed to the internet. The company said the hackers used the injection vulnerability to download a payload on targeted devices. That payload was then used to steal the files from the XG Firewall.

The stolen data may have had usernames and hashed passwords for the firewall advice admin, as well as firewall portal admins, and user accounts for remote access. The data also included the serial number and license of the firewall, as well as user emails. Sophos mentioned the passwords for customer authentication systems, such as LDAP and AD, weren't stolen.

The company mentioned that during their investigation, they didn't find evidence there were any stolen passwords capable of accessing XG Firewall devices or anything behind the firewall on internal networks. The researchers shared the malware used in the attack was called Asnarok.

A patch was released to customer devices.

The company said they prepared and released an automatic update that patches out all XG Firewalls that have the auto-update feature turned on. The hotfix removes the SQL injection vulnerability, preventing further exploits, stopping the XG Firewall from accessing infrastructure and cleaning up remnants from the attack. The security update added a box in the XG Firewall control panel that lets the device owners know whether it was compromised.

• Companies that had devices hacked were advised to take a few steps, specifically the following:
• Resetting portal administrators and device administrator accounts
• Rebooting the XG device or devices
• Resetting passwords on all local user accounts
• Even though the passwords were hashed, users are advised to reset any accounts where XG credentials may be reused in some way.
• Sophos also recommended companies disable the firewall administration interfaces on any internet-facing ports, assuming those aren't needed anymore.