Hackers Tried (and Failed) To Install Ransomware Using A Zero-day In Sophos Firewalls

company-shuts-down-because-of-ransomware-5e16586b81f53e00015e6599-1-jan-09-2020-14-00-23-poster.jpg

UK cyber-security vendor Sophos published today an update on its investigation into a recent series of attacks that tried to exploit a zero-day vulnerability in its XG firewall product.

Sophos said that after they learned of the incident and issued a hotfix, the attackers panicked and modified their attack routine to replace their original data-stealing payload and deploy ransomware on corporate networks protected by Sophos firewalls.

Sophos said that firewalls which received the hotfix blocked the subsequent attempts to install ransomware.

Summary of the original attacks

The original attacks took place between April 22 and April 26. In a report published at the time, Sophos said that an attacker had discovered an SQL injection vulnerability (CVE-2020-12271) in the Sophos XG firewall.

The hackers were using the zero-day to attack the firewall's built-in PostgreSQL database server and plant malware on the device.

Sophos said the initial payload was a trojan -- which the company named Asnarök -- that collected files containing usernames and passwords for Sophos firewall accounts.

Additionally, the attackers also left behind two files that worked as backdoors and which provided a way to control infected devices.

Sophos was quick to react, and four days after learning of the attack, the company published hotfixes for XG firewalls, which it automatically pushed to all firewalls that had the auto-update option left enabled.

Attacks changed after the patch rolled out

But in a new report published today, Sophos said that as soon as news of the attack became public and the patch started rolling out, the attackers changed their attack routine.

The new attack chain included the following payloads:

  • EternalBlue - Windows SMB exploit to allow attackers to infect computers on the internal network beyond the firewall.
  • DoublePulsar - Windows kernel implant to grant attackers a foothold on computers on the internal network.
  • Ragnarok - a crypto-ransomware strain (not to be confused with the RagnarLocker ransomware).

However, Sophos says the new attack routine failed. The company says that on patched firewalls, the hotfix removed all traces of the malware, including both backdoor mechanisms, preventing the new attack chain from successfully delivering and installing the ransomware.

XG firewalls where the auto-update feature was not enabled and where system administrators failed to manually install the patch were most likely infected.

ZDNet asked Sophos today about the number of incidents where hackers managed to successfully install the ransomware after companies failed to patch systems.

The Ragnarok ransomware is a lesser-known ransomware strain. Prior to this report, the Ragnarok ransomware has been seen in attacks where hackers targeted Citrix ADC, a network gateway system.

These attacks followed a similar pattern like the one described by Sophos, where attackers went after a company's network edge devices, and then pivoted to workstations on the internal network.

"This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines," Sophos said. "It's also important for the industry and law enforcement to keep an eye on this group, because of the potentially outsized impact of an attack against always-on networked devices."

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more