Skip to main content

"Asnarok" Trojan targets firewalls


As we described last week in this KBA, Sophos and its customers were the victims of a coordinated attack by an unknown adversary. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products. As described in the KBA, the vulnerability has since been remediated.
This post is the result of many hours of research and reverse-engineering by SophosLabs and Sophos internal security teams, working in conjunction with product management to coordinate a hotfix and global response within two days of discovering this attack. In the spirit of transparency, we want to describe the nature of the attack and a detailed analysis of the malware based on our investigation and current understanding.
There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system. This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.

How the attack began


The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com. The command also wrote this shell script to the /tmp directory on the device, used the chmod program to designate the file as executable, and executed it.
The script (written to the appliance as x.sh) ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack.
The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself. It appears that this was an attempt to conceal the attack, but it backfired: On some appliances, the shell script’s activity resulted in the attacker’s own injected SQL command line being displayed on the user interface of the firewall’s administrative panel. In place of what should have been an address, it showed a line of shell commands.
This script also dropped at least two other shell scripts into the /tmp directory, and modified at least one shell script that is part of the firewall’s operating system to add a set of commands to the end of the script. This last script, in particular, is relevant because the malware modified services to ensure it ran every time the firewall boots up; it served as a roundabout persistence mechanism for the malware.

The three shell ELF game


The installer script, x.sh, dropped two completely new shell scripts, and modified an existing script that’s part of the operating system.
One of the dropped shell scripts was named .lp.sh and its primary function was to connect to the malicious sophosfirewallupdate site, and download a Linux ELF executable file compiled to run on the firewall operating system named lp. The script wrote that downloaded file to /tmp with a filename of just b.
The b program, when run, deleted itself from the filesystem of the device, so it was only present in memory. It appeared in the process list as a program whose name, cssconf.bin, is one character off from a legitimate process that normally runs on a firewall, cscconf.bin. The highlighted process list below shows the malicious program as it would have appeared running on an infected firewall. It is also notable that it listed its parent process ID as 1, which the legitimate cscconf.bin would never have done.
While b was in memory, it repeated a series of tasks every 3 to 6 hours — a delay interval chosen at random the first time it ran, and reused thereafter.
First, b checks to see if it can make a connection to a machine with the IP address of 43.229.55.44. If the ELF cannot make a connection to that IP address, it attempted to resolve the IP address for the malicious domain sophosproductupdate[.]com.
If it resolved the IP for that domain, and DNS did not return a value of 127.0.0.1 as a result, then it downloaded another Linux ELF executable called sophos.dat, which we’ll discuss in the next section.
Shell script number two dropped by the Install.sh/x.sh script is written to the /tmp directory with a filename of .pg.sh. Its main purpose was to download a second, different ELF executable, which was called bk on the webserver and was written to the filesystem with the name .post_MI.
Earlier we mentioned that Install.sh, the first stage dropper, ran a number of Postgres SQL commands. One of these commands modified a specific service value entry so that .post_MI executed whenever that service executed; this provided persistence by starting the malware at every reboot.
This executable had limited functionality: It checked to see whether a file named .a.PGSQL (more on this in a minute) has been written to the /tmp directory, and if it didn’t find it, it attempted to download a shell script from the web server hosted at ragnarokfromasgard.com, called patch.sh. At the time we performed the analysis of the attack, this server wasn’t responding.
The third shell script is a modification of a shell script that is already part of the firewall’s internal operating system, named generate_curl_ca_bundle.sh. The Install.sh/x.sh script made a backup copy of the original (prepending a dot to the filename, .generate_curl_ca_bundle.sh) before it modified the original script to append code to the file. That code writes out and drops yet another shell script, /tmp/I (just a capital letter i).
The I script has two primary functions. First, it performed a “touch” of the /tmp/.a.PGSQL file (an act that, if the file does not exist, created it in the /tmp directory). The previously-mentioned . post_MI ELF executable checked to see if .a.PGSQL exists as part of its execution.
ELF executable from the malicious I then retrieved a shell script file named lc from the sophosfirewallupdate domain, and wrote that to the /tmp directory as .n.sh and executed it. This script replicated the same behavior as the .lp.sh script (mentioned above), and attempted to download and execute the bsophosfirewallupdate website. This download of b is the persistence mechanism, given that the b process deletes itself off disk as one of its first actions.

Data exfiltration process


Note: This section describes our understanding of the data exfiltration capabilities of the malware at the time of publication of this article, but we have not discovered any evidence that the data collected have been successfully exfiltrated.
The steps involving the shell scripts and ELF binary executables apparently were done in order to bring the attack to the point where the malware downloaded and executed a file that had been named Sophos.dat on the remote server, saved to the filesystem as 2own.
This malware’s primary task appeared to be data theft, which it could perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands. At each step, the malware collected information and then concatenated it to a file it stored temporarily on the firewall with the name Info.xg.
First, the binary attempted to retrieve the public-facing IP address where the firewall is installed. It did this first by querying the website ifconfig.me, and if that site is not reachable for some reason, it tried to do the same by contacting checkip.dyndns.org.
Next, it queried a number of data storage areas on the firewall to retrieve information about the firewall and its users.
This diagram below shows the capability of the malware to exfiltrate data. As of the date of publication, we have not discovered any evidence that the data collected have been successfully exfiltrated.
The malware shows the capability to retrieve only firewall resident information, which may include:
  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that are stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that are permitted to use a “clientless” VPN connection.
The malware then queried an internal database of the firewall to retrieve a list of the IP address allocation permissions for the users of the firewall, as well as information about the appliance itself: What version of the operating system is running, what type of CPU and amount of memory is present on the device; how long has it been operational since the last reboot (the ‘uptime’); and the output of the ifconfig and ARP tables.
Once the malware wrote all this information to Info.xg, it then compressed it using the tar compression tool, and then used OpenSSL to encrypt the archive file. The attackers used the Triple-DES algorithm to encrypt the file, and for a pass phrase, the word “ GUCCI” in all capital letters. The malware is then intended to attempt to upload this encrypted file to a machine at the IP address 38.27.99.69, and then cleans up its tracks by deleting the files temporarily created while it collected the information.

Remediation and response


Files associated with this attack have been added to the definition Linux/Agnt-G and domains and IP addresses have been flagged as malicious in the SophosXL domain reputation service.
A hotfix update has already been released to Sophos customers to plug the hole used by the attackers to access the firewalls. If you don’t have automatic updates enabled in the firewall, please follow these instructions to enable them.
Since the attack was discovered, Sophos has taken a number of steps, which we can summarize as follows: SophosLabs blocked domains found in initial forensic analysis of the attack, and later identified and blocked additional domains and IP addresses associated with the attack. We notified customers about mitigation steps. We issued a telemetry update to firewalls; and we designed, developed, and tested a hotfix to mitigate the SQL injection and this attack, and then pushed the hotfix to supported devices. Sophos also has submitted a request for a CVE and will add the CVE number to the knowledge base article once available. We have also taken additional actions that fall outside the scope of this article.
While the best source of information for sysadmins will be the Sophos knowledge base entry on this issue, there are a few steps Sophos customers can take immediately to prevent this from happening to firewall appliances.
This issue has manifested itself on systems that have exposed the HTTPS admin service or the User Portal on the WAN interface. Community manager Marco Ginoccio writes: “ To prevent this issue, choose the Administration link on the left-hand navigation panel of the management console, then click the Device Access page illustrated below. Customers must ensure that both Admin services and User Portal are deactivated on the WAN interface as highlighted:”

Indicators of Compromise (IoCs)


File indicators


Network indicators


URLs


hxxps://sophosfirewallupdate.com/sp/Install.sh hxxp://sophosfirewallupdate.com/sh_guard/lc hxxps://sophosfirewallupdate.com/bk hxxps://sophosfirewallupdate.com/sp/lp hxxps://ragnarokfromasgard.com/sp/patch.sh hxxps://sophosfirewallupdate.com/sp/sophos.dat hxxps://sophosfirewallupdate.com/in_exit hxxps://sophosfirewallupdate.com/sp/lpin hxxp://sophosfirewallupdate.com/bkin hxxp://filedownloaderservers.com/bkin hxxps://sophosfirewallupdate.com/sp/p.sh hxxps://sophosfirewallupdate.com/sp/ae.sh



Domains






sophosfirewallupdate.com filedownloaderservers.com ragnarokfromasgard.com sophosenterprisecenter.com sophoswarehouse.com sophosproductupdate.com sophostraining.org





Additional suspicious domains






filedownloaderserverx.com filedownloaderserver.com updatefileservercross.com





IPs






43.229.55.44 38.27.99.69





Filesystem paths






/tmp/x.sh /var/newdb/global/.post_MI /scripts/vpn/ipsec/generate_curl_ca_bundle.sh (modified) /scripts/vpn/ipsec/.generate_curl_ca_bundle.sh (original) /tmp/I /tmp/.a.PGSQL /tmp/.n.sh /tmp/.pg.sh /tmp/.lp.sh /tmp/b /tmp/2own /tmp/Info.xg /tmp/%s_.xg.rel /tmp/%s_.xg.salt /tmp/ip (result of http://checkip.dyndns.org/ip_dyn) /tmp/ip_dyn (result of https://ifconfig.me/ip)







Originally published at https://news.sophos.com on April 27, 2020.











































Comments











Post a Comment























Popular posts from this blog





















Lebanese Protesters Are Using This ‘Bridgefy’ Messaging App - What is it?




























  Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the Internet, by simply turning on your Bluetooth antenna.        Due to WhatsApp outage and the poor internet services, a new offline messaging app known as Bridgefy has started to gain traction among Lebanese protesters. The people are recommending using this app in case there is a shutdown of internet services.          Did you know that:        1 billion      people aren’t covered by 3G or 4G networks.  3.3 billion      people live in areas where the mobile Internet can be accessed but remain without a mobile Internet subscription.  1 billion      people own a smartphone but don’t own a data plan.  40% of the      world population is forecast to remain unconnected by 2025.    These numbers represent huge amounts of potential users that aren’t being reached by mobile apps. Bridgefy keeps your app working even when people do not have access to the Internet.     T...




















Post a Comment









Read more






























WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record




























    WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images.   WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images.   Meanwhile...




















Post a Comment









Read more






























Facebook updates iOS app to fix issues that let the camera open in the background




























    The issues were first reported this month    This month, some users of Facebook’s iOS app  found that  that, in at least two situations, the app appeared to be activating the camera in the background without a user’s knowledge. Facebook said yesterday that it was submitting fixes for the issues to Apple, and the company tells us that, as of this morning, the updated app is now available for download on the App Store.     I’ve downloaded the update to my iPhone 11 Pro, and I can’t get the camera to accidentally activate in either of the scenarios that were reported — but I also couldn’t get it to activate yesterday, so I can’t personally confirm that the issues are fixed. But if we take Facebook at its word that everything is resolved, it’s nice to see that the company acted quickly.   Article reference:  https://www.theverge.com/2019/11/13/20963791/facebook-issue-fix-camera-open-background-update-ios-app-store    




















Post a Comment









Read more