Contents:
CISA, the Cybersecurity & Infrastructure Security Agency, disclosed that threat actors are apparently targeting “a known, previously patched, vulnerability” that was found in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware.
CISA added that the attackers are able to exploit this security vulnerability as part of a targeted ransomware attack.
CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. Threat actors can exploit this vulnerability to initiate a targeted ransomware attack.
CISA encourages users and administrators to review the SonicWall security advisory and upgrade to the newest firmware or disconnect EOL appliances as soon as possible. Review the CISA Bad Practices webpage to learn more about bad cybersecurity practices, such as using EOL software, that are especially dangerous for organizations supporting designated Critical Infrastructure or National Critical Functions.
SonicWall recently issued an “urgent security notice” and warned its customers of an imminent risk of a targeted ransomware attack.
Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.
CISA is urging all its users and administrators to review the SonicWall security notice and upgrade their devices accordingly to the latest firmware or to immediately disconnect all end-of-life appliances.
At this time CISA and SonicWall did not reveal the identity of the threat attackers behind these attacks but the journalists from BleepingComputer were informed by a source in the cybersecurity industry that HelloKitty ransomware has been exploiting this vulnerability in the past few weeks.
The bug that is exploited in order to compromise the unpatched and EOL SMA and SRA products was not disclosed in the CISA’s warning or in the SonicWall’s notice, but Heather Smith, a researcher from Heimdal competitors Crowdstrike declared that the targeted vulnerability is tracked as CVE-2019-7481.
CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices.
Ransomware Attacks Against SonicWall Devices
This is not the first time when the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances is exploited to deploy ransomware, as a ransomware strain known as FiveHands previously targeted multiple North American and European targets.
Three other zero-day vulnerabilities were discovered in SonicWall’s products back in March, as they were actively exploited by a group tracked by Mandiant as UNC2682 to backdoor systems using BEHINDER web shells that were allowing them to move laterally through victims’ networks and access emails and files.
The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files, and emails, and move laterally into the victim organization’s network.