Ransomware gangs are increasingly going after SonicWall devices

Over the course of the last few months, cybercrime groups have increasingly targeted SonicWall devices in order to breach corporate networks and deploy ransomware.

The attacks come after enterprise-grade networking equipment from Citrix, F5, Pulse Secure, Fortinet, and Palo Alto Networks was abused in a similar manner across 2019 and 2020, with enterprise VPNs and network gateways representing a popular entry point for ransomware gangs.

But as these systems got patched, cybercrime groups also started looking for the next equipment they could target.

According to reports published in April (by Mandiant) and this week (by CrowdStrike), threat actors appear to have found a new target in SonicWall devices.

Per the two reports, during the first half of the year, threat actors scanned the internet and relied on exploits for two vulnerabilities to hijack SonicWall equipment.

This included attacks against SonicWall SRA VPN servers using an older 2019 exploit (CVE-2019-7481) and attacks against SonicWall SMA network gateways using a bug that was patched in February this year (CVE-2021-20016).

Final payloads in these attacks included the HelloKitty, FiveHands, and Darkside ransomware strains, according to Mandiant.

However, taking into account how often ransomware gangs jump from one Ransomware-as-a-Service (RaaS) affiliate program to another, detecting the final payload in these attacks is often counterproductive.

Instead, in a blog post on Tuesday, CrowdStrike urged companies to apply patches or at least add two-factor authentication support to SonicWall systems.

Successful attacks spotted against already-patched systems

Furthermore, Crowdstrike researchers Heather Smith and Hanno Heinrichs also said they observed successful attacks leveraging the 2019 bug against already-patched devices, running SRA VPN firmware version 9.0.0.5, suggesting the threat actors found a way to bypass SonicWall's initial fixes.

But, there is also some good news for companies still using the older legacy SRA VPN devices. Crowdstrike said that SonicWall SRA VPN owners could apply the 10.x firmware versions, which are compatible with older devices and which SonicWall released this February after the CVE-2021-20016 vulnerability was used against its own internal network.

Nevertheless, the security firm suggested that companies also look into replacing the older SRA VPN equipment with newer devices, which are supported and receive patches on a more regular basis.

The gist here is that there's been a significant shift in threat actor operations since 2019, when ransomware gangs seem to have abandoned spear-phishing email-based attacks in favor of targeting edge networking devices. Since then, these attacks have become widespread and have been used by all types of threat actors, such as nation-state groups and not just ransomware gangs.

While some threat actors seem to target SonicWall devices for this particular stretch, they are also very likely to go after similar equipment from other enterprise vendors as well once a major vulnerability is discovered in their firmware that can be exploited remotely over the internet.