-
EDR / MDRIdentify, contain, respond, and stop malicious activity on endpoints
-
SIEMCentralize threat visibility and analysis, backed by cutting-edge threat intelligence
-
Risk Assessment & Vulnerability ManagementIdentify unknown cyber risks and routinely scan for vulnerabilities
-
Identity ManagementSecure and streamline client access to devices and applications with strong authentication and SSO
-
Cloud App SecurityMonitor and manage security risk for SaaS apps
-
SASEZero trust secure access for users, locations, and devices
-
SOC ServicesProvide 24/7 threat monitoring and response backed by ConnectWise SOC experts
-
Policy ManagementCreate, deploy, and manage client security policies and profiles
-
Incident Response ServiceOn-tap cyber experts to address critical security incidents
-
Cybersecurity GlossaryGuide to the most common, important terms in the industry
SonicWall warns of “imminent” ransomware attack
Yesterday, SonicWall issued an urgent alert of an imminent ransomware attack targeting their Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. The warning mentions the use of stolen credentials and exploitation of older vulnerabilities that have already been patched for some time. We’ve frequently seen older exploits on devices that have been forgotten about as the source of initial access for customers who have been breached.
The warning from SonicWall refers to CVE-2019-7481, which allows unauthenticated read-only access to resources in SonicWall’s SMA100, and a zero-day vulnerability we reported on earlier this year.
Details regarding who is behind the attack are sparse at the moment, but SonicWall provided detailed mitigation steps in their bulletin. This attack is targeting older products, many of which have reached their end of life (EOL). If possible, they recommend you upgrade your firmware to the latest version, at least to version 9.x or higher. If you cannot upgrade, they warn that “continued use may result in ransomware exploitation.”
For those using older products past their EOL that cannot be upgraded to version 9.x firmware, they are offering a complimentary virtual SMA 500v until October 31, 2021, to assist with your transition to a currently maintained product.
Since this attack involves stolen credentials, they also recommend immediately resetting all credentials associated with your SMA or SRA devices, even if they have already been patched, and enabling MFA.
The ConnectWise CRU has put together several IDS signatures enabled across all partners on the Perch platform to help detect exploitation attempts for the vulnerabilities listed in SonicWall’s bulletin:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900389; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900390; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established, to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:url, www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:900391; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2021_20016;)alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url, www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; classtype:web-application-attack; sid:900388; rev:1; metadata: created_at 2021-07-15, updated_at 2021-07-15, cve CVE_2019_7481;)This is a good reminder to always enable MFA wherever possible and keep your networked devices up-to-date.
Bryson Medlock, the Dungeon Master
References
www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/