According to researchers, threat actors are actively targeting a critical flaw in SonicWall’s Secure Mobile Access (SMA) gateways. The vulnerabilities were first seen in December 2021 and were accompanied by a patch after their release. The vulnerabilities addressed by SonicWall were two critical stack-based buffer overflow vulnerabilities tracked as CVE-2021-20038 and CVE-2021-20045. A remote attacker can trigger these vulnerabilities to potentially execute as the ‘nobody’ user in compromised appliances. The CVE-2021-20038 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the Web Application Firewall (WAF) is enabled.
Since the patch has already been released to fix these issues, organizations running one of the affected appliances should ensure that they have the most up to date version installed. It is not uncommon for attackers to leverage vulnerabilities that have available patches to target victims that did not apply the security patches. Whenever a new patch comes out, it should be tested and implemented as soon as possible. Some of the attacks that were seen were also using the password spraying method to find victims that still had the default credentials in use. It is never recommended to continue use of default credentials after initial setup. The attacks seen did not appear to be the work of a large, coordinated attack and are most likely threat actors that are opportunistic and looking for companies that are not utilizing security best practices to keep themselves or their organizations safe.