Asnarök

It is not everyday that we get to see cybercriminals that look to exploit vulnerabilities in security products, and then use these vulnerabilities to collect information from their victims. However, this is the case with the Asnarök Trojan exactly, a new cyber-threat that has been going after physical and virtual hardware associated with the security vendor Sophos. While the creators of Asnarök have only managed to exploit a specific firewall so far, it is entirely possible that they may opt to go after other security vendors in the future as well. The best way to keep your network secure against such attacks is to make sure to apply regular updates to all security software and hardware.

The attack seems to be executed by scanning the Internet for accessible firewall services and then using a zero-day remote code execution (RCE) exploit that would allow remote attackers to launch arbitrary code on the vulnerable host. In this case, the attackers have opted to use the RCE vulnerability to launch a series of commands that serve the purpose of downloading Linux shell scripts, which are then used to build the malware installer.

Asnarök also will apply changes to the firewall's software configuration to ensure that the payload will run in case the software/hardware is restarted. Finally, Asnarök will get to its primary goal – harvesting firewall usernames and protected passwords that will be extracted to the control server.

Thankfully, the Asnarök campaign was caught by the attacked security vendors quickly, and they appear to have taken the required measures to protect their customers and eradicate the vulnerability. The fact that even high-profile security vendors are becoming targets of cybercriminals is proof that it is always a good investment to purchase and implant new and enhanced security measures that can keep you safe online.