Skip to main content

Hackers exploit Sophos firewall zero-day

(Image credit: Image source: Shutterstock/Ai825)

An actively exploited vulnerability in Sophos’ enterprise firewall has been identified and promptly fixed, the company announced earlier this morning.

In a recently published advisory, the cybersecurity firm explained one of its clients had drawn its attention to a zero-day vulnerability found in its XG Firewall.

The unnamed client alerted Sophos on April 22 to a “suspicious field value visible in the management interface.” A short investigation found the field value was not an error, but instead an actively exploited zero-day vulnerability.

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," the security advisory reads. The company says criminals used the flaw to download malware on the target device, allowing them to steal files from the firewall.

The malware used for the attack has since been dubbed Asnarok by researchers.

The attackers targeted login credentials for the firewall device administrator, as well as for the firewall portal admins and remote access user accounts. They were also interested in firewall licenses, serial numbers and user emails.

Sophos has already developed and issued the fix, which all customers with automatic updates activated should have already received. 

"This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack," the company said.

Companies whose firewalls have been hacked should follow these instructions, published by ZDNet.