UK cyber-security vendor Sophos published today an update on its investigation into a recent series of attacks that tried to exploit a zero-day vulnerability in its XG firewall product.

Sophos said that after they learned of the incident and issued a hotfix, the attackers panicked and modified their attack routine to replace their original data-stealing payload and deploy ransomware on corporate networks protected by Sophos firewalls.

Sophos said that firewalls which received the hotfix blocked the subsequent attempts to install ransomware.

Summary of the original attacks

The original attacks took place between April 22 and April 26. In a report published at the time, Sophos said that an attacker had discovered an SQL injection vulnerability (CVE-2020-12271) in the Sophos XG firewall.

The hackers were using the zero-day to attack the firewall’s built-in PostgreSQL database server and plant malware on the device.

Sophos said the initial payload was a trojan — which the company named Asnarök — that collected files containing usernames and passwords for Sophos firewall accounts.

Additionally, the attackers also left behind two files that worked as backdoors and which provided a way to control infected devices.

Sophos was quick to react, and four days after learning of the attack, the company published hotfixes for XG firewalls, which it automatically pushed to all firewalls that had the auto-update option left enabled.

Attacks changed after the patch rolled out

But in a new report published today, Sophos said that as soon as news of the attack became public and the patch started rolling out, the attackers changed their attack routine.

The new attack chain included the following payloads:

  • EternalBlue – Windows SMB exploit to allow attackers to infect computers on the internal network beyond the firewall.
  • DoublePulsar – Windows kernel implant to grant attackers a foothold on computers on the internal network.
  • Ragnarok – a crypto-ransomware strain (not to be confused with the RagnarLocker ransomware).

However, Sophos says the new attack routine failed. The company says that on patched firewalls, the hotfix removed all traces of the malware, including both backdoor mechanisms, preventing the new attack chain from successfully delivering and installing the ransomware.

XG firewalls where the auto-update feature was not enabled and where system administrators failed to manually install the patch were most likely infected.

ZDNet asked Sophos today about the number of incidents where hackers managed to successfully install the ransomware after companies failed to patch systems.

The Ragnarok ransomware is a lesser-known ransomware strain. Prior to this report, the Ragnarok ransomware has been seen in attacks where hackers targeted Citrix ADC, a network gateway system.

These attacks followed a similar pattern like the one described by Sophos, where attackers went after a company’s network edge devices, and then pivoted to workstations on the internal network.

“This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines,” Sophos said. “It’s also important for the industry and law enforcement to keep an eye on this group, because of the potentially outsized impact of an attack against always-on networked devices.”