Asnarök malware exploits firewall zero-day to steal credentials

Asnarök malware exploits firewall zero-day to steal credentials

Some Sophos firewall products were attacked with a new Trojan malware, dubbed Asnarök by researchers cyber-security firm Sophos, to steal usernames and hashed passwords starting with April 22 according to an official timeline.

The malware exploits a zero-day SQL injection vulnerability that can lead to remote code execution on any unpatched physical and virtual firewalls it targets.

“There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system,” Sophos said in an advisory published over the weekend.

“This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.”

Trojan infection chain

The Asnarök malware payload was downloaded to attacked firewall devices in the form of multiple Linux shell scrips after exploiting the zero-day SQL injection remote code execution vulnerability.

The exploit used to download the payload also dropped a shell script that made the malware installer script executable and launched it on the compromised devices.

Asnarök also “modified services to ensure it ran every time the firewall booted up; it served as a roundabout persistence mechanism for the malware,” according to Sophos analysis.

Attack flow and data exfiltration
Image: Sophos

Asnarök steals firewall credentials

As the researchers discovered while examining and reverse-engineering the Trojan, the malware is specifically designed for harvesting and exfiltrating firewall usernames and hashed passwords, as well as some system information.

Sophos said that credentials associated with external authentications systems such as Active Directory services and LDAP were not exposed and were not targeted by Asnarök.

Furthermore, Sophos has no evidence that any of the data collected by the attackers with the help of the Asnarök Trojan had been successfully exfiltrated.

The malware is only capable to collect firewall resident information which could include:

• The firewall’s license and serial number
• A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
• Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
• A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.

Asnarök also queries the infected firewalls’ internal database to collect info on the OS version, the amount of RAM and the CPU, uptime information, and users’ IP address allocation permissions among others.

All the data is written to an Info.xg file, archived, encrypted, and then sent to attacker-controlled servers.

Customers alerted if their devices were compromised

Sophos blocked the domains used by Asnarök on April 22 and April 23, and it pushed mitigations to affected firewall devices on April 23 and April 24 after identifying the initial SQL injection attack vector.

As BleepingComputer reported yesterday, the final security update for the zero-day XG Firewall vulnerability was ready by the evening of April 25 when Sophos started rolling it out to all XG Firewall units with auto-update enabled.

Customers who don’t have auto-update enabled on their firewalls can follow these instructions to install the hotfix manually.

Sophos will automatically display alerts within the management interface of XG Firewall devices to let customers know if their units were compromised or not.

If you will be alerted that your device was infected, Sophos advises taking the following additional measures to make sure that your firewall is fully secured:

1. Reset portal administrator and device administrator accounts
2. Reboot the XG device(s)
3. Reset passwords for all local user accounts
4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Indicators of compromise as well as more information on how the malware infects unpatched Sophos firewalls and about the way it collects and exfiltrates data can be found here.