Light Dark
April 28, 2020 By Shane Schick 2 min read

Cybercriminals have been using a Trojan dubbed Asnarök to steal data by exploiting a vulnerability in enterprise firewalls from Sophos, the company warned.

In an advisory that was issued over the weekend, Sophos said the campaign is aimed at both the physical and digital versions of its XG Firewall product. Using a pre-authorization SQL bug, the attack allows hackers to conduct remote code execution.

Those affected include anyone who has configured the product with the user portal connected to the WAN zone or with the HTTPS admin service. Sophos has since issued a patch to help mitigate the risk of Asnarök attacks.

Inside the Asnarök Kill Chain

Those behind the campaign use a legitimate-sounding domain name with the words “Sophos firewall update” that hosts Linux shell scripts.

By inserting a one-line command into a database table on targeted devices, attackers are able to trigger a remote server to download Install.sh. The kill chain then continues with a series of tasks that run every three to six hours, attempting to drop various other shell scripts until the Trojan is saved to the file system as the ultimate payload.

The malware works by searching the firewall for information such as the license and serial number, the admin’s email account and any other email accounts of users that may be stored on the appliance. Asnarök also has the potential to steal the admin’s salted SHA256 hash and encrypted passwords, user IDs and OS details about the firewall itself.

Threat actors are able to cover their tracks by having the Trojan delete all of the temp files it creates in the kill chain. This usually happens only once it has collected the data, encrypted it with OpenSSL and uploaded it to a third-party IP address.

The full scope of the attack campaign and the number of targeted systems has not been disclosed.

Arm Yourself Against Asnarök

Those who use the Sophos firewall will instantly get the emergency patch if they have automatic updates enabled on their devices. However, since it’s often difficult to keep up with the volume and variety of zero-day exploits, companies should also consider how artificial intelligence (AI) technologies can help augment the work IT security teams do.

 |  |  |  |  |  |  |  |  |  | 
Shane Schick
Writer & Editor

More from

May 14, 2024

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended RSAC…

May 14, 2024

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

May 13, 2024

Debate rages over DMCA Section 1201 exemption for generative AI

2 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright.The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”.Now, a fierce debate is brewing over whether to allow independent hackers…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature