SonicWall SMA/SRA Ransomware Infection Vector

SonicWall SMA/SRA Ransomware Infection Vector

Introduction

Seemingly favored by many big game hunter ransomware threat groups, VPN and network infrastructure devices are regularly used as the initial attack vector, especially given that some organizations neglect to include 'hardware' appliances within their patch and update regimes.

In this instance, SonicWall, a content and network security vendor, released an urgent security notice [1] on July 14, 2021, advising customers of a critical risk to end-of-life or 'limited retirement' SonicWall Secure Mobile Access (SMA) and Secure Remote Access (SRA) products.

Based on recent observations, ransomware threat actors have been actively exploiting a two year old pre-authentication SQL injection (SQLi) vulnerability in these products, identified as CVE-2019-7481, leading to network access without the need to brute-force accounts.

Given SonicWall's urgent alert, it is likely that many organizations are known to be still using these vulnerable products and, potentially fueled by increased publicity, other ransomware groups or threat actors may seek to identify and exploit vulnerable deployments in their financially motivated ransomware and extortion campaigns.

Chat with an analyst about data security and ransomware

Impact

Whilst only assigned a CVSS score of 7.5, and therefore classified as 'high' rather than 'critical', the severity of this current situation arises from CVE-2019-7481 being actively exploited in end-of-life products that will are not supported or set to be updated by SonicWall.

Initially reported as only affecting firmware version 9.0.0.3, or earlier, and thought to have been resolved with the release of firmware version 9.0.0.5, recent indications suggest that devices running version 9.0.0.5, and older, remain vulnerable to CVE-2019-7481.

As such, the following end-of-life products are reportedly affected and the continued use of these should be considered a serious security risk:

  • Secure Remote Access 1200
  • Secure Remote Access 1600
  • Secure Remote Access 4200
  • Secure Remote Access 4600
  • SSL-VPN 200
  • SSL-VPN 400
  • SSL-VPN 2000

Additionally, the following 'limited retirement' products using firmware version 9.0.0.5 or older remain affected:

  • Secure Mobile Access 200
  • Secure Mobile Access 400

In addition to this vulnerability being actively exploited-in-the wild by big game hunter ransomware groups, proof-of-concept code is believed to be available and potentially vulnerable SonicWall devices can likely be easily identified through the use of online tools rather than needing to actively probe target networks.

For example, a basic Shodan search for 'SonicWall' returns some 750 thousand results (Figure 1) that, when tuned to include product or version details, could likely identify vulnerable devices.

Untitled (1)

Figure 1 - Basic Shodan search for 'SonicWall'

Detection

Those with potentially vulnerable devices can, after acting upon the recommendations, review their VPN and access logs for indicators of post compromise including:

  • Unexpected access attempts to the following paths:
    • /cgi-bin/supportInstaller
    • /cgi-bin/supportLogin
  • Unusual or unexpected user-agents, such as scripting languages and command line utilities. For example, based on the use of the Python proof-of-concept (PoC) code, the user-agent may be identified as python-requests/x.xx.x, where x.xx.x is the library version.
  • Unexpected action messages such as Virtual Assist Installing Customer App.

Chat with an analyst

Recommendations

  • Organizations using end-of-life products (SRA 1200/1600/4200/4600 and SSL-VPN 200/400/2000) are advised by SonicWall to immediately disconnect the device and reset all associated credentials.
  • Organizations using products that are still supported, albeit in 'limited retirement', (SMA 200/400) are advised to immediately update the firmware to version 10.2.0.7-34 or 9.0.0.10, reset all associated credentials and ensure that multi-factor authentication is enabled.
  • As is good practice, regardless of product version, organizations using SonicWall, or similar network devices, should ensure that these are included in regular maintenance and security update programmes to prevent known vulnerabilities from being exploited.
  • Regardless of the product, multi-factor authentication should be implemented wherever possible to limit the effectiveness of any stolen or compromised credentials.
  • SonicWall provide additional advice within their bulletin [1] regarding this issue along with transition paths for customers utilizing end-of-life products.

References

[1] https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/