Sigma Rule: Sophos Firewall Asnarok Malware Campaign

An emergency security update for Sophos XG Firewall was released this Saturday. The update patches a zero-day SQL injection remote code execution vulnerability that is actively exploited in the wild. It allows cybercriminals to compromise Sophos firewalls via their management interface and deploy Asnarok malware. The Trojan steals the firewall’s license and serial number, user emails, admin’s salted SHA256 hash, and encrypted passwords. To protect your organization from the threat, make sure that automatic installation of hotfixes is enabled on your firewall: https://community.sophos.com/kb/en-us/135415

Our SOC team released Sigma rule based on IOCs available in Sophos’ security advisory. You can use it to find traces of the malware and determine if your XG Firewall was compromised. You can use Uncoder to convert Sigma rule to the detection content for the security platform you have. Also, you can check the rule with all available translation in Threat Detection Marketplace: https://tdm.socprime.com/tdm/info/RN0oGcnrZfoU/HYulvHEB1-hfOQirCe1I/#

Link to Uncoder: https://uncoder.io/

Uncoder user guide is here: https://socprime.com/en/blog/uncoder-io-user-guide/

Sigma:

title: Sophos Firewall Asnarok Malware Campaign (IOC)
status: stable
description: In April 2020, Sophos firewalls were targeting by an actor using a 0-day SQLi exploit to compromise Sophos firewalls via their management interface. The malware delivered has been named “asnarok”.
references:
– https://news.sophos.com/en-us/2020/04/26/asnarok/
author: SOC Prime Team
logsource:
category: any
detection:
keyword:
– ‘736da16da96222d3dfbb864376cafd58239344b536c75841805c661f220072e5’
– ‘a226c6a641291ef2916118b048d508554afe0966974c5ca241619e8a375b8c6b’
– ‘4de3258ebba1ef3638642a011020a004b4cd4dbe8cd42613e24edf37e6cf9d71’
– ‘9650563aa660ccbfd91c0efc2318cf98bfe9092b4a2abcd98c7fc44aad265fda’
– ‘8e9965c2bb0964fde7c1aa0e8b5d74158e37443d857fc227c1883aa74858e985’
– ’31e43ecd203860ba208c668a0e881a260ceb24cb1025262d42e03209aed77fe4′
– ‘/sp/sophos.dat’
– ‘.post_MI’
– ‘filedownloaderserverx.com’
– ‘filedownloaderserver.com’
– ‘updatefileservercross.com’
– ‘43.229.55.44’
– ‘38.27.99.69’
– ‘sophosfirewallupdate.com’
– ‘filedownloaderservers.com’
– ‘ragnarokfromasgard.com’
– ‘sophosenterprisecenter.com’
– ‘sophoswarehouse.com’
– ‘sophosproductupdate.com’
– ‘sophostraining.org’
condition: keyword
falsepositives:
– this rule could trigger on IOC data from threat intelligence feeds
level: critical