The company security Sophos published yesterday an update on its investigation into a recent series of attacks. In these attacks, The hackers they had tried to take advantage a zero-day vulnerability in XG firewalls. Sophos moved quickly as soon as she learned about them hacking attempts and issued one urgent repair. Apparently, the attackers panicked modified their attack. So they replaced the original theft payload data and tried to develop ransomware on corporate networks protected by Sophos firewall.
Sophos said the XG firewalls, which received the fix, blocked subsequent ransomware installation efforts.
A brief history of the initial attacks
The initial attacks took place between 22 and 26 April. In a report released at the time, Sophos said the attackers had discovered one SQL injection vulnerability (CVE-2020-12271) in Sophos XG firewall.
The hackers tried to exploit the vulnerability to attack the firewall's built-in PostgreSQL database server and install malware to the device.
The company said the original payload was one trojan (which he named Asnarök). The trojan stole usernames and passwords for Sophos firewall accounts.
In addition, the hackers left behind two files that functioned as backdoors and which provided a way to control infected devices.
Within four days (after learning of the attacks), Sophos issued the correction for the XG firewalls, which was automatically installed on all firewalls that had the auto-update option enabled.
The attacks changed after its release patch
The new attack included the following payloads:
- EternalBlue: SMB exploit in Windows allows intruders to infect computers on the internal network beyond the firewall.
- DoublePulsar: To gain access to computers internally network.
- Ragnarok: A crypto-ransomware.
However, according to Sophos, the new ones attacks failed. Updated firewalls removed all traces of malware, including both backdoor mechanisms. Thus, the new attack and successful installation of ransomware was not possible.
XG firewalls, in which the ability to automatically update or not manually "update" by administrators were not enabled, were most likely infected.
According to the company, this incident emphasizes the need for constant updating of our systems and reminds that any IoT device could be used as a basis for access on Windows machines.