How eCrime Groups Leverage an Old SonicWall Vulnerability

How eCrime Groups Leverage an Old SonicWall Vulnerability
CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices; the ability to leverage the vulnerability to affect SRA devices was previously undisclosed by SonicWall
CrowdStrike Intelligence researchers confirmed that CVE-2019-7481 affects SRA devices running the latest versions of 8.x and 9.x firmware, and that the latest versions of Secure Mobile Access (SMA) firmware do not mitigate the CVE for SRA devices
CrowdStrike recommends organizations always implement multifactor authentication (MFA) and replace legacy, end-of-life devices with the latest vendor-supported versions

The year 2021 has already been a busy one for vulnerability patching and management, with several new zero-day vulnerabilities impacting many companies’ primary means of remote authentication in a world still working from anywhere. With increased dependency on VPN devices, it is not surprising that both eCrime and nation-state actors focus on VPN device compromise as an initial attack vector. In this blog, we discuss a 2019 exploit, CVE-2019-7481, that also affects end-of-life SonicWall SRA VPN devices running firmware versions 8.x and 9.x. CrowdStrike has identified big game hunting (BGH) ransomware actors leveraging this vulnerability against these older SonicWall SRA 4600 VPN devices during various incident response investigations.

On Feb. 4, 2021, SonicWall’s Product Security Incident Response Team (PSIRT) announced a new zero-day vulnerability, CVE-2021-20016, that affects its SMA (Secure Mobile Access) devices. Within the documentation, SonicWall stated this new vulnerability affects the SMA 100 series product, and updates are required for versions running 10.x firmware. SonicWall did not state if or how this newest exploit affects any older SRA VPN devices still in production environments. 

In fact, the older SRA VPN devices have not been mentioned in vulnerability disclosures since SonicWall’s CVE advisories in 2017, however the December 2019 CVE vulnerabilities were referenced for SRA dev ..