News

Asnarok: the malware exploiting Sophos vulnerabilities 

The Asnarok malware is a complex malware that exploited vulnerabilities in Sophos XG firewalls, particularly through techniques such as remote code execution and sql injection. This attack had a major impact on companies and organizations, compromising not only the security of corporate networks but also the confidentiality of data.

Asnarok malware in a system

3 December 2024

Table of contents

  • Asnarok: an advanced attack on Sophos firewalls 
  • How the Asnarok malware works 
  • The use of compromised data and remote access 
  • Protection and mitigation against Asnarok malware 

The Asnarok malware is a complex cyber threat that exploited vulnerabilities in Sophos XG firewalls, specifically using techniques such as remote code execution and SQL injection

This attack had a significant impact on companies and organizations, compromising not only the security of corporate networks but also the confidentiality of data. 

Asnarok: an advanced attack on Sophos firewalls 

By exploiting these weaknesses, Asnarok managed to penetrate systems to extract sensitive information, such as IP addresses, user IDs, and other essential network management details. 

The primary objective of Asnarok was to compromise Sophos firewalls, especially those with HTTPS admin service enabled or with automatic updates active.

This malware demonstrated how even the most advanced security devices can become targets, exposing companies to serious security breaches. 

How the Asnarok malware works 

Asnarok exploits an SQL injection vulnerability present in Sophos XG firewalls to gain initial access. This type of attack allows malicious commands to be inserted into database tables, bypassing standard security procedures.

Once it penetrates the system, the malware inserts a command into a table, using a technique called “inserting a command into a row of the database table.”

This initial step allows the malware to establish a presence in the targeted systems and execute a series of actions without being detected. 

Afterward, Asnarok downloads an installation script, a Linux shell script named install.sh, which is executed to continue the infection. The file is deposited in the system’s temporary directory, known as the tmp directory

This script contains a series of targeted instructions, leading to the execution of a program known as Linux ELF.

This ELF file is essentially an executable for Linux systems and forms the core of the attack, allowing the malware to access sensitive data and conduct aggressive data theft. 

The use of compromised data and remote access 

Once active, Asnarok collects critical information, such as the license and serial numbers of compromised devices, the user IDs of users who interacted with the Sophos firewalls, and other sensitive data. 

This data collection is facilitated by a function called salted SHA-256 hash, used to ensure that the collected data is protected but still usable in an attack.

Once these details are obtained, the malware is capable of establishing a remote connection and executing commands directly on the compromised systems via remote code execution

The remote access allows the malware to perform a wide range of tasks on compromised firewalls, such as altering security settings or disabling some protection functions.

This prolonged and silent access enables cybercriminals to monitor network traffic, identify other system vulnerabilities, and eventually gather further sensitive data.

The persistent nature of the attack means that the targeted systems remain vulnerable for extended periods, making detection by standard security measures difficult. 

Asnarok SQL injection

Protection and mitigation against Asnarok malware 

To defend against Asnarok, Sophos released updates that fix the vulnerabilities exploited by the malware.

It is crucial for companies to keep automatic updates enabled for their systems, ensuring that firewalls are consistently protected against new threats.

Sophos also recommended that administrators disable the HTTPS admin service to reduce the malware’s entry points and to continuously monitor system access for suspicious activity. 

In addition to updates, it is advised to adopt advanced security protocols, such as actively monitoring changes in license and serial numbers and IP addresses associated with devices, as well as verifying the integrity of any SQL injection present in firewall configurations.

These precautions can reduce the risk of attacks like Asnarok and ensure greater security for corporate data. 

Sophos has also provided users with a guide to verify possible system compromise, suggesting specific checks, such as searching for unusual files written in the tmp directory or identifying Linux shell scripts that may indicate the presence of malware.

Implementing a multilayered security strategy that includes frequent system log checks and network settings review can be decisive in preventing attacks like Asnarok. 

In conclusion… 

The Asnarok malware represents a sophisticated example of an attack that exploits flaws in advanced security systems. 

The malware’s ability to compromise Sophos XG firewalls through SQL injection and remote code execution highlights the importance of adopting a proactive security approach and keeping network protection devices up to date. 

Companies must be aware of the risks associated with security devices and take preventive measures to protect their data and networks from similar attacks. 

Questions and answers 

  1. What is the Asnarok malware? 
    It is malware that exploits vulnerabilities in Sophos XG firewalls to perform remote code execution attacks and steal sensitive data. 
  2. Which firewalls are affected by Asnarok? 
    Sophos XG firewalls are the primary devices vulnerable to Asnarok malware attacks. 
  3. How does Asnarok penetrate systems? 
    Asnarok uses an SQL injection vulnerability in Sophos firewalls to insert commands and establish remote access to systems. 
  4. What does the install.sh file do in the context of Asnarok? 
    The install.sh file is a Linux shell script used by Asnarok to install a malicious program on the infected system. 
  5. What type of data does Asnarok steal? 
    The Asnarok malware extracts data such as user IDs, license and serial numbers, and sensitive information about networks. 
  6. What is a salted SHA-256 hash, and how is it used? 
    A salted SHA-256 hash is a method of data protection; Asnarok uses it to secure the data collected during the attack. 
  7. How can an Asnarok attack be prevented? 
    Enabling automatic updates and disabling the HTTPS admin service on Sophos XG firewalls helps prevent an Asnarok attack. 
  8. Why does Asnarok target Sophos firewalls? 
    Sophos firewalls are attractive targets due to their widespread use in businesses and their handling of sensitive data. 
  9. What are the main techniques used by Asnarok? 
    The main techniques include SQL injection and remote code execution, used to execute commands and steal data. 
  10. What to do in case of infection by Asnarok? 
    You must immediately update the Sophos firewall and contact security experts to remove the malware and assess the damage. 
74
To top