Home Articles How Asnarök Malware Exploited a Vulnerability in Sophos XG Firewalls

How Asnarök Malware Exploited a Vulnerability in Sophos XG Firewalls


Recently, the Asnarök malware was found to have exploited a security vulnerability in Sophos XG firewalls. Read on to know more…

Recently, the Asnarök malware was found to have exploited a security vulnerability in Sophos XG firewalls. Asnarök, the data-stealing malware, has left the customers of Sophos firewall stunned, after it was found exploiting a zero-day vulnerability in the XG Firewall product. On April 22, 2020, Sophos received some information about suspicious activities related to field values in the management interface, which was identified as an attempted attack against physical and virtual XG Firewall units. The cyber attack revealed a previously unknown zero-day SQL injection vulnerability in some of its firewall products, which could lead to remote code execution. Sophos immediately released a hotfix to patch the vulnerability, along with details about the attack.

Past Attacks on Sophos Security Products
In the past, there have been a few occasions where Sophos security products were found vulnerable to cyber attacks.

In October 2019, vulnerabilities were found in Sophos Cyberoam firewall appliances, which could allow attackers to remotely gain root permissions on any vulnerable device. In April 2010, Sophos fixed three vulnerabilities in its Unified Threat Management platform, that were impacting processes like user enumeration, expiration of cookies, and inbound email handling.

In October 2018, two vulnerabilities were discovered in Sophos HitmanPro Alert, the malware detection and protection tool. One vulnerability allowed an attacker to read kernel memory contents, while another flaw allowed code execution and privilege escalation. In June 2018, several vulnerabilities were found in Sophos SafeGuard full-disk and file encryption products, which could allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.

Past Security Vulnerabilities
Sophos is not the only security vendor facing the heat of product vulnerabilities. In the past, several major security vendors have patched vulnerabilities in their security products that were under active use.

In December 2019, vulnerabilities were discovered in the Trend Micro Maximum Security and Kaspersky Secure Connection, a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free. Before that, security vulnerabilities were found in the antivirus products from McAfee (November 2019), Symantec Endpoint Protection (November 2019), Avast & Avira Products (October 2019), Forcepoint VPN Client (September 2019), Bitdefender Antivirus Free (August 2019), and Check Point Endpoint Security (August 2019).

Vulnerabilities in all such products indicate that security products are also akin to any other kind of software product, and that they could be equally prone to cyber threats. Here are a few quick recommendations to further minimize the security risks:

• Keep the security products updated with the latest patches, and wherever possible, use automatic updates for such products to ensure immediate security from known threats.
• Leverage a layered security architecture, by using a combination of multiple security products can help ensure better security across the technology stack.

Those who use the Sophos firewall will instantly get the emergency patch if they have automatic updates enabled on their devices. However, since it’s often difficult to keep up with the volume and variety of zero-day exploits, companies should also consider how artificial intelligence (AI) technologies can help augment the work IT security teams do.


Please enter your comment!
Please enter your name here

45 − = 38