Customized malware “Asnarök” targets firewalls

Summary

SQL vulnerability in Sophos firewall products, allows remote code execution, used for a coordinated attack on Sophos and its customers.
  • An SQL injection vulnerability, in some Sophos firewall products, that allowed remote code execution, was used to orchestrate a coordinated attack on Sophos and its customers.
  • The attack, which used a chain of Linux shell scripts that downloaded ELF binary executable malware, was purportedly carried out to steal sensitive information from the firewall.
  • The binary had the capabilities to steal:
    • The firewall’s license and serial number
    • Email addresses of user accounts that were stored on the device and the firewall admin’s primary email.
    • Firewall users’ names, usernames, encrypted form of their passwords, and the salted SHA256 hash of the admin account’s password.
    • User IDs permitted to use the firewall for SSL VPN and accounts that have permission to use a “clientless” VPN connection.
  • After fixing the vulnerability, Sophos shared a detailed analysis of the attack and the malware.
Firewall attack stages  

Table of Contents

Request an easy and customized demo for free