Zero-day Affecting Sophos XG Firewall Actively Exploited

Summary

A zero-day Structured Query Language (SQL) injection vulnerability affecting Sophos’ XG Firewall was discovered on April 22, 2020 and is actively being exploited. Threat actors are deploying trojan malware, dubbed Asnarök by Sophos researchers, in an attempt to harvest XG Firewall-resident data such as usernames and hashed passwords for local device administrators (admin), user portal accounts, and accounts used for remote access. Successful exploitation may lead to remote code execution on both physical and virtual unpatched firewalls. Sophos has deployed a hotfix to devices that receive automatic updates, which includes a message on the management interface indicating if the device was affected. In addition to the hotfix, Sophos recommends resetting device admin accounts and changing local user account passwords – including accounts that may have re-used these credentials – in order to repair compromised devices.

Recommendations

The NJCCIC urges Sophos XG Firewall admins who may not have enabled automatic updates to apply the hotfix immediately. Additionally, we recommend disabling HTTPS admin services and unused user portals on the WAN interface. For further guidance and technical details, please review the Sophos security advisory.