Author: Yadu Nadh
1. Executive Summary
On 15 July, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about threat actors actively targeting a known and previously patched vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products that run on unpatched and end-of-life (EOL) 8.x firmware.1
On 15 July, SonicWall confirmed CISA’s alert about the vulnerability being actively exploited in the wild and urged its customers to take steps to reduce the risk of getting attacked.2 SonicWall has already identified three vulnerabilities that affect SRA 4600 and SMA 100 devices: CVE-2019-7481, CVE-2019-7482, and CVE-2021-20016.3,4
Big game hunting (BGH) ransomware actors5 as well as ransomware gangs6 have exploited CVE-2021-20016 to then be able to log in to the VPN simply by using the victim’s credentials (without brute-forcing). The threat actor can then deploy the ransomware of choice, encrypt the compromised system, and demand a ransom.7 Using this approach, an unknown threat actor exploited CVE-2021-20016 in SMA 100 Series VPN appliances, deployed FiveHands ransomware, and then pressured the victim to pay a ransom by threatening to 1) expose the victim’s data to the media and 2) sell the data in underground forums.8
CVE-2019-7481 is a critical SQL injection vulnerability. To exploit it, a remote, unauthenticated attacker could submit a specially crafted query. The attacker could then exploit another vulnerability to gain various levels of access to the SSL-VPN, because the data stored in the Sessions table in the SQLite database seems to consist of the session identifiers for authenticated users.
Exploiting CVE-2019-7482 allows the attackers to arbitrarily execute code. This vulnerability lies in a buffer overflow that takes place during the parsing of the browser’s user agent. The overflow can occur if the attacker has set the user agent to mimic Safari, because the getSafariVersion function in the libSys.so library is vulnerable and can lead to a crash. This has not yet been found to be exploited in the wild.
CVE-2021-20016 is a critical SQL injection vulnerability that exploits unpatched SMA 100 series devices used for remote access. A remote, unauthenticated attacker could submit a specially crafted query to exploit the vulnerability. Successful exploitation would enable the attacker to access login credentials and session information and then use this information to log in to a vulnerable, unpatched SMA 100 device.
3. Prevention and Mitigation
CISA urges owners and operators of critical infrastructures to apply the following measures that can mitigate the risk of compromise by such ransomware attacks:
- Require multi-factor authentication for remote access to OT and IT networks.
- Filter network traffic to prohibit ingress and egress communications with known malicious IPs.
- Update software, including operating systems, applications, and firmware on network assets as soon as the updates become available.
- Limit access to resources over networks, especially by restricting RDP.
- Set antivirus and antimalware programs to conduct regular scans of IT network assets.
- Monitor or block inbound connections involving the TOR network.
- Deploy signatures to detect and/or block inbound connections from Cobalt Strike.
- Implement and ensure that network segmentation between IT and OT networks is robust.
- Organize OT assets into logical zones.
- Identify OT and IT network interdependencies, and develop workaround manual controls.
- Implement regular data backup procedures on the IT as well as OT networks.