After SonicWall and CISA warned of targeted attacks against SonicWall Secure Mobile Access (SMA) 100 and Secure Remote Access (SRA) devices running End of Life (EoL) firmware, sources told BleepingComputer that the group behind HelloKitty was responsible for the “imminent threat” of ransomware notice. According to BleepingComputer, CrowdStrike also confirmed multiple other threat actors targeting these devices along with HelloKitty. The abused vulnerability is being tracked as CVE-2019-7481 and has been patched in firmware versions released in early 2021, according to a statement by SonicWall. Other exploits have been potentially identified as being abused as well, including CVE-2019-7481 and CVE-2020-5135.
Analyst Notes
In some cases, SonicWall mentions newer firmware having compatibility with older appliances. Binary Defense highly recommends that all administrators of older SonicWall devices read through the recent security notice to see if their device is affected, and for recommended next steps. In many cases, this involves disconnecting the devices immediately while resetting passwords, though some devices are still supported in a limited capacity to upgrade. Failure to identify vulnerable devices could mean exploitation followed by infection by known ransomware groups.
https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/
https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/
