Unknown threat actors have targeted Sophos in a previously unknown SQL injection vulnerability that led to remote code execution on some of firewall products. Sophos has already provided with the hotfix to their customers which can prevent them from this attack.
The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com. The command also wrote this shell script to the /tmp directory on the device, used the chmod program to designate the file as executable, and executed it.
The script (written to the appliance as x.sh) ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack.
The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself.
A hotfix is available for the customers to patch the vulnerability. However, customers who do not have automatic updates enable can follow the instructions here.