Sophos releases an emergency patch to fix a zero-day vulnerability

Cybersecurity firm Sophos had released an emergency patch for its product called ‘XG Firewall‘ which had a SQL injection vulnerability, a zero-day bug. Hackers already had started exploiting this vulnerability in the wild, so if you are using this product you should download and install the patch as soon as possible.

Sophos had identified this vulnerability through one of their customers on April 22, Wednesday. Customer had mentioned a suspicious field value is visible in the interface. Furthermore, after investigating the case, Sophos identified it is an active attack and not an error in their system.

How did hackers exploit this vulnerability?

Hackers had used an unknown SQL injection vulnerability to access the XG exposed devices. They then aimed at XG Firewall devices that had administration or user portal control being exposed through the internet. Moreover, they also did use the SQL vulnerability to download a payload, fetching files from XG Firewall.

The below diagrams illustrates Asnarok’s penetration into Firewall and the malware’s exfiltration stages,

The data stolen from the product includes usernames, passwords, license details of the product, emails ids and user accounts. However, Sophos mentioned that their authentication systems like LDAP and AD were safe.

After analyzing and tracking the footprints of the hackers, Sophos confirmed the actors did not penetrate the XG Firewall devices, and had not breached the firewall of its customers. This malware was named as ‘Asnarok’ by the Sophos team.

Deploy the patch to fix the SQL vulnerability

The UK based company had already deployed an emergency patch for its product, and the product’s auto-update feature if enabled will take care of this vulnerability. Along with the patch for XG Firewall, Sophos has included a feature, a special box in the product which will intimate the admins if their device is compromised.

How to mitigate if already been affected?

Enterprises that have already been hacked to exploit this vulnerability, Sophos recommends the below steps,

• Portal and device administrators accounts has to be reset.
• The XG devices have to be rebooted.
• All local user account passwords have to be reset.
• Any accounts where the XG credentials were used needs to be reset.

Enterprises also should disable the firewall administration interface on the ports if the same is not a mandatory configuration for the network. Disable WAN’s control panel using these instructions.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.