Asnarök Malware Dents a Hole in Sophos XG Firewalls
Asnarök, the data-stealing malware, has left the customers of Sophos firewall stunned, after it was found exploiting a zero-day vulnerability in the XG Firewall product.
- On April 22, 2020, Sophos received some information about suspicious activities related to field values in the management interface, which was identified as an attempted attack against physical and virtual XG Firewall units.
- The attack revealed a previously unknown zero-day SQL injection vulnerability in some of its firewall products, which could lead to remote code execution.
- Sophos immediately released a hotfix to patch the vulnerability, along with details about the attack.
Not the first time
In the past, there have been a few occasions where Sophos security products were found vulnerable to attacks.
- In October 2019, vulnerabilities were found in Sophos Cyberoam firewall appliances, which could allow attackers to remotely gain root permissions on any vulnerable device.
- In April 2010, Sophos fixed three vulnerabilities in its Unified Threat Management platform, that were impacting processes like user enumeration, expiration of cookies, and inbound email handling.
- In October 2018, two vulnerabilities were discovered in Sophos HitmanPro Alert, the malware detection and protection tool. One vulnerability allowed an attacker to read kernel memory contents, while another flaw allowed code execution and privilege escalation.
- In June 2018, several vulnerabilities were found in Sophos SafeGuard full-disk and file encryption products, which could allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.
What about other security vendors?
Sophos is not the only security vendor facing the heat of product vulnerabilities. In the past, several major security vendors have patched vulnerabilities in their security products that were under active use.
- In December 2019, vulnerabilities were discovered in the Trend Micro Maximum Security and Kaspersky Secure Connection, a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free.
- Before that, security vulnerabilities were found in the antivirus products from McAfee (November 2019), Symantec Endpoint Protection (November 2019), Avast & Avira Products (October 2019), Forcepoint VPN Client (September 2019), Bitdefender Antivirus Free (August 2019), and Check Point Endpoint Security (August 2019).
- In March 2017, an attack called DoubleAgent was identified by the Israel-based Cybellum, that involved the Microsoft Application Verifier, and affected the products of a large number of security vendors, including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo, ESET, F-Secure, Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal, and Symantec (Norton).
How to stay protected?
Vulnerabilities in all such products indicate that security products are also akin to any other kind of software product, and that they could be equally prone to cyber threats. Here are a few quick recommendations to further minimize the security risks:
- Keep the security products updated with the latest patches, and wherever possible, use automatic updates for such products to ensure immediate security from known threats.
- Leverage a layered security architecture, by using a combination of multiple security products can help ensure better security across the technology stack.