Security News > 2020 > May > Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Malicious actors targeting a zero-day vulnerability in Sophos XG Firewall appliances last month attempted to deploy ransomware after Sophos started taking measures to neutralize the attack.
One of the files deployed by the attackers would act as a "Dead man switch," to launch a ransomware attack when a specific file would be deleted on unpatched firewalls during a reboot or power-cycle, the security company reveals.
Because the deployed patches would address the vulnerability and remove malicious code without a reboot, the ransomware attack was not triggered.
Realizing that, the adversary decided to change some of the previously deployed shell scripts, and even replaced one of them with the ransomware payload. "At that point, the attackers intended to deliver the ransomware without requiring the firewall to reboot-but Sophos had already taken additional steps to intervene that disrupted this phase of the attack," the security company says.
The IP address hosting the domain and serving the hotfix payload was involved in attacks going back to 2018, and is associated with a threat actor known as NOTROBIN. After realizing that the so-called dead man switch did not work, the attackers replaced a script downloading an exfiltration tool named 2own with a script set up to download an ELF binary that in turn fetched the ransomware.
News URL
Related news
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- RA World Ransomware Attack in South Asia Links to Chinese Espionage Toolset (source)
- Chinese espionage tools deployed in RA World ransomware attack (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- SonicWall firewall bug leveraged in attacks after PoC exploit release (source)
- SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN (source)