Back in April this year, Mandiant noted that hackers are increasingly using SonicWall devices to infiltrate corporate networks and deploy ransomware. Now the CrowdStrike researchers have come to exactly the same conclusions .
Similar attacks began in 2019-2020 and typically affected enterprise-grade network equipment from Citrix, F5, Pulse Secure, Fortinet, and Palo Alto Networks. This is because corporate VPNs and network gateways have proven to be a convenient entry point into corporate networks for encryption operators.
However, the products of the manufacturers listed above were quickly updated, and attackers had to look for new vectors for their attacks. One of the suitable options turned out to be SonicWall devices, namely the vulnerability in SonicWall SRA VPN using the 2019 exploit ( CVE-2019-7481 ), as well as SonicWall SMA network gateways, where hackers exploit a bug fixed in February of this year ( CVE-2021- 20016 ).
According to Mandiant, the payloads in these attacks were usually ransomware, including HelloKitty, FiveHands, and DarkSide.
In turn, the Crowdstrike researchers write that they observed successful attacks using the 2019 bug even on devices with already patched firmware version 184.108.40.206. That is, the attackers seem to have found a way to bypass the patches released by SonicWall two years ago.
Experts reassure that SonicWall SRA VPN owners can use firmware versions 10.x that are compatible with older devices. These patches were released by SonicWall in February this year, after the CVE-2021-20016 vulnerability was used to attack the company itself.
CrowdStrike has once again urged companies to install patches in a timely manner, or at least use two-factor authentication on SonicWall systems. Researchers generally believe that the best protection option is to replace old SRA VPN equipment with new devices that are supported and receive patches on a more regular basis.