Attackers Attempted to Plant Trojan, Ransomware By Exploiting Vulnerability
Hackers tried two methods of exploiting a zero-day vulnerability in Sophos’ XG firewall, but Sophos says it made a temporary fix that mitigated the risks.
Attackers originally attempted to plant a Trojan in networks by exploiting the zero-day vulnerability, but then switched to ransomware, according to Sophos.
In a Thursday update, Sophos noted that XG firewalls that received a hotfix were able to block the attacks, including the ransomware, which the company identified as Ragnarok. This crypto-locking malware was first noticed in January, when security firm FireEye published a report on it, noting that its operators were trying to take advantage of flaws in Citrix’s ADC and Gateway servers at the time.
“Ragnarok is a less common threat than other ransomware, and it appears that this threat actor’s modus operandi – and the tooling they employ to deliver this ransomware – is quite different from those of many other threat actors,” Sophos says.
Sophos detected the first wave of these attacks between April 22 and 26, when the hackers were attempting to take advantage of a zero-day SQL injection vulnerability in the XG firewall products.
That vulnerability, tracked as CVE-2020-12271, allowed the attackers to target the firewall’s built-in PostgreSQL database server. This bug would then allow the hackers to inject a single line of Linux code into databases that would enable them to plant malware within vulnerable networks, according to Sophos.
The attackers attempted to plant a Trojan called Asnarök, which enables threat actors to steal user names and hashed password, Sophos says.
When Sophos analysts began to notice the attacks unfolding in April, the company rushed out a temporary fix to its customers to block the hackers from taking advantage of the vulnerability. The company also recommended that its customers reboot their firewalls and change administrative settings and passwords.
After Sophos published an alert to customers about the April security incident, the hackers then attempted to switch tactics, according to Thursday’s update.
During the initial attacks in April, the hackers left behind what Sophos calls a “backup channel” and other malicious files that would allow the attackers to re-enter a network if they had been detected and blocked.
“This would have happened if a firewall that hadn’t been remediated by the Sophos hotfixes had been rebooted or power-cycled,” Sophos says. “If the file did get deleted, the new use of the backup channel was intended to initiate a ransomware attack at an indeterminate time in the future.”
When Sophos blocked the first firewall attack with a hotfix, the hackers attempted to leverage the EternalBlue vulnerability in older versions of Microsoft Windows and the DoublePulsar backdoor malware to re-enter networks and plant the Ragnarok ransomware, according to the update, Sophos says.
The hotfix prevented the hackers from executing this newer attack because it disabled the malicious files, according to Sophos. Organizations with XG firewalls with the auto-update feature turned off, however, may have been infected. In these cases, the patch would have to be applied manually.
Sophos warned that attackers are targeting network edge devices, such as firewalls, to pivot to endpoint devices that contain more valuable data.
“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any [internet of things] device could be abused as a foothold to reach Windows machines,” Sophos notes.