Hackers modify attack routine in attempt to deploy Ragnarok ransomware on networks protected by Sophos firewall

An SQL injection zero-day in the Sophos firewall was exploited to infiltrate corporate networks

Hackers who tried to exploit a zero-day vulnerability in the Sophos XG firewall product to compromise corporate networks in April later modified their strategy to plant ransomware on those networks.

On Thursday, Sophos published a report providing details on cyber attacks that originally occurred between 22 April and 26 April.

In these attacks, hackers tried to infiltrate networks of several enterprises by exploiting an SQL injection zero-day in the Sophos XG firewall. The aim of these attacks was to infect Windows machines and plant ransomware on them.

Attackers used CVE-2020-12271 zero-day to install multiple ELF binaries and scripts, referred to as Asnarök Trojan by Sophos researchers.

Hackers used the Trojan to steal sensitive data from the firewall - such as usernames and passwords for firewall accounts, firewall's serial and license number, email addresses of user accounts stored on the device - with ultimate aim to compromise the entire network remotely.

Hackers also left behind two backdoors, which provided a way to control compromised devices.

After discovering the attack, Sophos security teams acted quickly to release a hotfix to the firewalls, which addressed the SQL injection bug, removed the malicious scripts, and blocked hackers' subsequent attempts to plant ransomware.

Being unable to deploy further ransomware on networks, hackers modified their attack routine and replaced original data-stealing payload with a new one.

The new attack chain included Ragnarok (a crypto-ransomware strain) and EternalBlue, Windows SMB exploit to enable hackers to compromise computers on the internal network beyond the firewall. It also included DoublePulsar Windows kernel implant that grant attackers foothold on computers on the internal network.

According to researchers, Ragnarok is a less common threat than other ransomware. Its operators have earlier attempted to exploit bugs in Citrix ADC gateway devices to deploy the ransomware.

The new attack routine failed on patched firewalls, as the hotfix had already removed all malicious files from infected machines.

"This incident highlights the necessity of keeping machines inside the firewall perimeter up to date, and serves as a reminder that any IOT device could be abused as a foothold to reach Windows machines," the researchers warn.

"It's also important for the industry and law enforcement to keep an eye on this group, because of the potentially outsized impact of an attack against always-on networked devices."