• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-5867 – F5 NGINX Controller
April 27, 2020
Rewterz Threat Advisory – CVE-2020-5870 – F5 BIG-IQ Centralized Management
April 28, 2020

Rewterz Threat Alert – Asnarok Trojan targets Sophos firewalls

April 27, 2020

Severity

High

Analysis Summary

Unknown threat actors have targeted Sophos in a previously unknown SQL injection vulnerability that led to remote code execution on some of firewall products. Sophos has already provided with the hotfix to their customers which can prevent them from this attack.

How the Attack Happened 

The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.

This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com. The command also wrote this shell script to the /tmp directory on the device, used the chmod program to designate the file as executable, and executed it.

The script (written to the appliance as x.sh) ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack.

The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself. 

flow-diagram-2nd-version.jpg

Impact

  • SQL injection
  • Remote code execution
  • Data exfiltration

Affected Vendors

Sophos

Indicators of Compromise

SHA-256

  • 736da16da96222d3dfbb864376cafd58239344b536c75841805c661f220072e5
  • a226c6a641291ef2916118b048d508554afe0966974c5ca241619e8a375b8c6b
  • 4de3258ebba1ef3638642a011020a004b4cd4dbe8cd42613e24edf37e6cf9d71
  • 9650563aa660ccbfd91c0efc2318cf98bfe9092b4a2abcd98c7fc44aad265fda
  • 8e9965c2bb0964fde7c1aa0e8b5d74158e37443d857fc227c1883aa74858e985
  • 31e43ecd203860ba208c668a0e881a260ceb24cb1025262d42e03209aed77fe4


URL

  • hxxps[:]//sophosfirewallupdate[.]com/sp/Install[.]sh
  • hxxp[:]//sophosfirewallupdate[.]com/sh_guard/lc
  • hxxps[:]//sophosfirewallupdate[.]com/bk
  • hxxps[:]//sophosfirewallupdate[.]com/sp/lp
  • hxxps[:]//ragnarokfromasgard[.]com/sp/patch[.]sh
  • hxxps[:]//sophosfirewallupdate[.]com/sp/sophos[.]dat
  • hxxps[:]//sophosfirewallupdate[.]com/in_exit
  • hxxps[:]//sophosfirewallupdate[.]com/sp/lpin
  • hxxp[:]//sophosfirewallupdate[.]com/bkin
  • hxxp[:]//filedownloaderservers[.]com/bkin
  • hxxps[:]//sophosfirewallupdate[.]com/sp/p[.]sh
  • hxxps[:]//sophosfirewallupdate[.]com/sp/ae[.]sh

Remediation

A hotfix is available for the customers to patch the vulnerability. However, customers who do not have automatic updates enable can follow the instructions here.

https://community.sophos.com/kb/en-us/135415

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.