Hackers tried 2 methods of exploiting a zero-day vulnerability in Sophos’ XG firewall, but Sophos says it made a temporary fix that mitigated the risks.
Attackers originally attempted to plant a Trojan in networks by exploiting the zero-day vulnerability, but then switched to ransomware.
The XG firewalls that received a hotfix were able to block the attacks, including the ransomware, which the company identified as Ragnarok.
This crypto-locking malware was first noticed in January, when security firm FireEye published a report on it, noting that its operators were trying to take advantage of flaws in Citrix’s ADC and Gateway servers at the time.
Sophos detected the first wave of these attacks in April when the hackers were attempting to take advantage of a zero-day SQL injection vulnerability in the XG firewall products.
CVE-2020-12271, allowed the attackers to target the firewall’s built-in PostgreSQL database server, then allowing the hackers to inject a single line of Linux code into databases that would enable them to plant malware within vulnerable networks.
The attackers attempted to plant a Trojan called Asnarök, which enables threat actors to steal user names and hashed passwords.
When Sophos analysts began to notice the attacks unfolding they rushed out a temporary fix to its customers.
The hackers then attempted to switch tactics.
During the initial attacks in April, the hackers left behind what Sophos calls a “backup channel” and other malicious files that would allow the attackers to re-enter a network if they had been detected and blocked.
When Sophos blocked the first firewall attack with a hotfix, the hackers attempted to leverage the EternalBlue vulnerability in older versions of Microsoft Windows and the DoublePulsar backdoor malware to re-enter networks and plant the Ragnarok ransomware.
The hotfix prevented the hackers from executing this newer attack because it disabled the malicious files.