Asnarök Exploits Compromised Sophos Firewalls

What Is It?

The newly discovered Asnarök malware avoids the most common infection vectors (computer, server or mobile device) for a more uncommon device and informationally valuable device in any organization’s north-south connectivity – a network firewall.

The attackers exploited a previously unknown remote code execution SQL injection vulnerability by inserting a single line command into an existing database table. This command downloaded a shell script from a legitimate-sounding domain name and executed it. This script issued several SQL commands intended to modify the values of certain database elements. The script also created additional scripts, one of which was designed to ensure the malware was executed following each reboot, also known as “persistence.”

One of these additional scripts attempted to download and execute a malicious Linux ELF binary from the same legitimate sounding domain. The binary utilized techniques that are commonly seen in Windows malware, as it would delete itself from the firewall’s disc storage, leaving it only resident in memory and appearing in the process list using a name very close to a legitimate process. At a regular interval, the malware would attempt to connect to a specific IP address or another legitimate sounding domain name. It then attempted to download another Linux ELF binary, used for data exfiltration. A third Linux ELF binary was downloaded which attempted to download a further shell script, though the domain it attempted to contact was not active during the analysis timeframe. However, this domain did lead to Sophos to naming the malware used in this attack as “Asnarök.”

More specifically, this attack exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device. How was it discovered? After receiving a report from a customer that a suspicious string was visible in the management interface of the firewall, Sophos investigated. As it turned out, the attack caused the injected SQL command to be displayed on the management console on some of the firewall devices, thus alerting vigilant customers to the presence of suspicious activity.

The data exfiltration malware was specifically designed to collect device system information, as well as firewall usernames and encrypted passwords. This data was temporarily stored on the firewall, before being compressed and encrypted using “GUCCI” as a password and uploaded to a specific IP address. Once uploaded, the temporary file was deleted.

With admirable speed, Sophos deployed a hotfix to patch the vulnerability and mitigate any future attacks. They published an article detailing the attack which sought to steal sensitive information from the firewall.

How Does It Propagate?

The Asnarök malware does not self-propagate, the attackers exploited a zero-day SQL injection vulnerability in Sophos XG firewalls in order to compromise the device.

When/How Did BluVector Detect It?

The two publicly available Linux ELF executables samples used in this attack have been regression tested against BluVector’s patented Machine Learning Engine (MLE) and both would have been detected for 72 months prior to their release.

All Threat Reports