SonicWall warns of “imminent” ransomware attack

Yesterday, SonicWall issued an urgent alert of an imminent ransomware attack targeting their Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. The warning mentions the use of stolen credentials and exploitation of older vulnerabilities that have already been patched for some time. We’ve frequently seen older exploits on devices that have been forgotten about as the source of initial access for customers who have been breached.

The warning from SonicWall refers to CVE-2019-7481, which allows unauthenticated read-only access to resources in SonicWall’s SMA100, and a zero-day vulnerability we reported on earlier this year.

Details regarding who is behind the attack are sparse at the moment, but SonicWall provided detailed mitigation steps in their bulletin. This attack is targeting older products, many of which have reached their end of life (EOL). If possible, they recommend you upgrade your firmware to the latest version, at least to version 9.x or higher. If you cannot upgrade, they warn that “continued use may result in ransomware exploitation.”

For those using older products past their EOL that cannot be upgraded to version 9.x firmware, they are offering a complimentary virtual SMA 500v until October 31, 2021, to assist with your transition to a currently maintained product.

Since this attack involves stolen credentials, they also recommend immediately resetting all credentials associated with your SMA or SRA devices, even if they have already been patched, and enabling MFA.

The ConnectWise CRU has put together several IDS signatures enabled across all partners on the Perch platform to help detect exploitation attempts for the vulnerabilities listed in SonicWall’s bulletin:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900389; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900390; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900391; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url, www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; classtype:web-application-attack; sid:900388; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2019_7481;)

This is a good reminder to always enable MFA wherever possible and keep your networked devices up-to-date.

Bryson Medlock, the Dungeon Master

References

https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/

www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/

https://www.jpcert.or.jp/english/at/2021/at210006.html