- Joined
- Dec 3, 2020
- Messages
- 2,417
After fixing the vulnerability, cybercriminals were forced to change their tactics.
On Thursday, May 21, Sophos released new cyber attacks on its XG firewalls.
Recall last month that it became known about the exploitation of the zero-day vulnerability in Sophos XG firewalls. According to the researchers, upon learning of the incident, the manufacturer released emergency security updates, and attackers quickly changed their tactics, replacing the original payload, infostiller, extortionate software. As the researchers found, the firewalls on which the patch was installed blocked subsequent attempts to install ransomware.
Initial cyberattack attempts were made on April 22-26. Attackers exploited a vulnerability (CVE-2020-12271) on Sophos XG firewalls that allowed for SQL injection. Attackers aimed at the built-in PostgreSQL server and installed malware on the device.
According to Sophos, the original payload was the Asnarök Trojan, which collects usernames and passwords for accessing the Sophos firewall. In addition, the attackers left two files playing the role of backdoors, providing them with control over the devices.
The manufacturer quickly released an emergency update, not all vulnerable devices were automatically sent out, and the attackers were forced to change their tactics. A new attack includes the following steps:
On Thursday, May 21, Sophos released new cyber attacks on its XG firewalls.
Recall last month that it became known about the exploitation of the zero-day vulnerability in Sophos XG firewalls. According to the researchers, upon learning of the incident, the manufacturer released emergency security updates, and attackers quickly changed their tactics, replacing the original payload, infostiller, extortionate software. As the researchers found, the firewalls on which the patch was installed blocked subsequent attempts to install ransomware.
Initial cyberattack attempts were made on April 22-26. Attackers exploited a vulnerability (CVE-2020-12271) on Sophos XG firewalls that allowed for SQL injection. Attackers aimed at the built-in PostgreSQL server and installed malware on the device.
According to Sophos, the original payload was the Asnarök Trojan, which collects usernames and passwords for accessing the Sophos firewall. In addition, the attackers left two files playing the role of backdoors, providing them with control over the devices.
The manufacturer quickly released an emergency update, not all vulnerable devices were automatically sent out, and the attackers were forced to change their tactics. A new attack includes the following steps:
- EternalBlue - exploit for a vulnerability in Windows SMB to infect internal networks protected by a firewall;
- DoublePulsar - implant for the Windows kernel, providing access to computers on the internal network;
- Ragnarok - Ransomware.
