CISA warns of threat actors pointing to “a known, previously patched vulnerability” found in the SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life firmware .
As the US federal agency also addAttackers can exploit this security vulnerability as part of a targeted ransomware attack.
This alert comes after SonicWall issued an “urgent security advisory” and sent emails warning customers of the “imminent risk of a targeted ransomware attack.”
Although the company said the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel confirmed CISA warning saying the campaign is ongoing.
CISA urges users and administrators to review SonicWall security notice and update your devices with the latest firmware or immediately disconnect all devices at the end of their useful life.
Update to the latest SonicWall firmware and disconnect EOL SonicWall devices as soon as possible. Failure to follow SonicWall instructions can lead to targeted ransomware attacks. Read more in https://t.co/ji96tw5Md4 #Cyber security #InfoSec #Data hijacking
– US-CERT (@USCERT_gov) July 15, 2021
HelloKitty ransomware: one of the groups behind these attacks
While CISA and SonicWall did not disclose the identity of the threat attackers behind these attacks, a cybersecurity industry source told BleepingComputer that HelloKitty has been exploiting the vulnerability for the past few weeks.
Cybersecurity firm CrowdStrike also confirmed to BleepingComputer that the ongoing attacks are attributed to multiple threat actors, including HelloKitty.
HelloKity is a human-operated ransomware operation active since November 2020, primarily known for encrypting CD Projekt Red systems and claiming to have stolen Cyberpunk 2077, Witcher 3, Gwent, and the source code of other games.
Even though the bug that was used to compromise SMA and SRA products without patch and EOL was not revealed in the CISA warning or SonicWall advisory, CrowdStrike security researcher Heather Smith told BleepingComputer yesterday that the specific vulnerability is tracked as CVE-2019-7481.
“This exploit is targeting a long-known vulnerability that was patched in newer versions of firmware released in early 2021,” SonicWall said in an emailed statement.
However, Heather Smith and Hanno Heinrichs by CrowdStrike said in a report posted last month that “CrowdStrike Services incident response teams identified cybercrime actors who are exploiting an earlier SonicWall VPN vulnerability, CVE-2019-7481, affecting 4600 Secure Remote Access (SRA) devices.” .
SonicWall credited the two with security for reporting the actively exploited security flaw in a security notice issued yesterday.
According to a Coveware report, Babuk ransomware also targets SonicWall VPNs that are likely vulnerable to CVE-2020-5135 feats. This vulnerability was fixed in October 2020, but even today “it is abused a lot by ransomware groups” according to Coveware.
Ransomware vs. SonicWall Devices
A group of threats tracked by Mandiant as UNC2447 has also exploited the CVE-2021-20016 Zero-day bug on SonicWall SMA 100 series VPN devices to implement a new strain of ransomware known as FiveHands (a DeathRansom variant like HelloKitty).
Their attacks targeted various targets in North America and Europe before SonicWall released patches in late February 2021.
Zero Day itself was also abused in January in attacks targeting SonicWall’s internal systems and then indiscriminately exploited in the wild.
Mandiant threat analysts discovered three other zero-day vulnerabilities in SonicWall hosted and on-premises email security (ES) products in March.
These three zero days were also actively exploited by a group Mandiant tracks as UNC2682 for backdoor systems using BEHINDER web shells, allowing them to move laterally through victims’ networks and access emails and files.
“The adversary exploited these vulnerabilities, with in-depth knowledge of the SonicWall application, to install a back door, access files and emails, and move laterally to the victim organization’s network,” say the Mandiant researchers. saying at the time.