Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Legacy SonicWall Devices Being Targeted

As attacks against VPN devices are on the rise to deliver ransomware payloads, legacy SonicWall Secure Remote Access (SRA) 4600 are being targeted for a SQL injection exploit that was thought to be patched in newer device firmware. CrowdStrike has confirmed that firmware versions 8.x and 9.x are vulnerable to CVE-2019-7481, even when running SMA device firmware versions 9.0.0.4 and 9.0.0.5. SonicWall PSIRT confirmed that legacy SRA devices could use the newer SMA firmware updates and that the devices were interchangeable. After CrowdStrike shared their findings, SonicWall PSIRT confirmed that SRA devices were end of life and that the current mitigation for this issue is to install the latest 10.x SMA firmware.

ANALYST NOTES

It is fortunate that newer device firmware is still compatible with the legacy SRA 4600, however CrowdStrike found that not all security fixes may apply one-to-one when being applied to these devices. Organizations still utilizing the SonicWall SRA 4600 should have a plan for updating device firmware to version 10.x as specified by SonicWall as quickly as possible while planning for eventual device replacement as they are considered end of life. To check for signs of compromise, CrowdStrike noticed that device logs would include the string msg=”Virtual Assist Installing Customer App” in the minutes leading up to access by threat actors.

https://therecord.media/ransomware-gangs-are-increasingly-going-after-sonicwall-devices/

https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/