[German]Hackers have attempted to use a 0-day exploit in Sophos firewalls for attacks. However, the vendor responded quickly with a patch, and the attacks failed on updated systems.
The following tweet brought that case to my attention and ZDNet has published this article.
— Moix Security (@moixsec) May 23, 2020
The relevant update for the Sophos firewalls has probably been available since last week (21.5.2020).
Attacks in April 2020
The original attacks took place between 22 and 26 April 2020. In a report released at the time, Sophos said an attacker had discovered an SQL injection vulnerability (CVE-2020-12271) in the Sophos XG firewall.
The hackers then used zero-day to attack the PostgreSQL database server built into the firewall and install malware on the device. The original payload was a Trojan – which the company calls Asnarök. It collected files containing usernames and passwords for Sophos Firewall accounts. In addition, the attackers left two files that acted as backdoors, providing a way to control infected devices.
When Sophos became aware of the attack, the company promptly issued a fix. The attackers noticed this and probably panicked. They modified the attack routine to replace their original data theft payload and be able to demand a ransom. Further details can be found in the ZDNet article and this Sophos article.