Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SonicWall. Show all posts

Hackers Use SonicWall Security Flaw in Ransomware Attacks


 

In the latest ransomware attack, operators have started using a critical bug in SonicWall SonicOS firewall devices as an entry point for compromising business networks. The vulnerability, identified as CVE-2024-40766, is from the management access interface of the firewall and thus impacts all current devices spanning across Generation 5, Generation 6, and Generation 7. A patch was issued by SonicWall on August 22 to address the issue and asked its users to update their appliances. It later turned out that the same weakness also affects the SSLVPN feature of the devices, which has recently been exploited in the wild.

Arctic Wolf security researchers reported that operators of the Akira ransomware strain have been leveraging the bug for initial access to business networks. These appeared to be the types of attacks that involved compromised accounts, local to the affected devices and independent of centralised authentication systems such as Microsoft Active Directory. What's more, the affected accounts were noted to have MFA disabled, further compromising them. The affected breached devices were running firmware versions in the range vulnerable to CVE-2024-40766.

Apart from Arctic Wolf's discovery, the incidents of ransomware groups making their ways into SonicWall SSLVPN accounts were also reported by the security firm Rapid7. While the incidents being connected to the vulnerability CVE-2024-40766 are purely speculative, the company has underlined the need to take precautions.

Immediate Security Recommendations

The cybersecurity researchers at SonicWall, Arctic Wolf, and Rapid7 have strongly recommended that the administrators take to the immediate implementation of the latest SonicOS firmware updates. Specifically, SonicWall has advised customers to allow access to the Firewall management and SSLVPN features only from trusted sources and block it from the internet, if possible. It has also underlined the implementation of MFA for all SSLVPN users by leveraging the use of TOTP or email-based authentication.

Given the threat, this vulnerability has been added to the Known Exploited Vulnerabilities catalogue by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA. Federal agencies were directed to patch their vulnerable SonicWall devices before September 30, according to Binding Operational Directive, or BOD 22-01. That is the gravity of this vulnerability and how urgently the organisations need to act.

SonicWall Devices Targeted in Previous Attacks

SonicWall devices have been routine targets in the past, due to which the hackers exploit security flaws and gain entry to the corporate networks. For instance, suspected Chinese hackers installed malware on SonicWall Secure Mobile Access (SMA) devices, which persists on firmware upgrades. The Ransomware groups-HelloKitty, FiveHands, and now Akira-keeps exploiting similar vulnerabilities in the SonicWall systems for attacks.

Given that SonicWall serves over 500,000 customers, including government agencies and major corporations worldwide, the pervasive nature of these vulnerabilities calls for timely patching and stout security practices. "The company has urged that all users of the affected products must apply the latest updates in order to protect their systems against future attacks.


Fortifying Cybersecurity for Schools as New Academic Year Begins

 

School administrators have received a cautionary alert regarding the imperative need to fortify their defenses against potential cyberattacks as the commencement of the new academic year looms. 

The National Cyber Security Centre has emphasized the necessity of implementing "appropriate security measures" to safeguard educational institutions from potential threats and to avert disruptions.

While there are no specific indicators of heightened threats as schools prepare to reopen, the onset of a fresh academic term underscores the potential severity of any cyberattacks during this period. 

Don Smith, the Vice President of the counter-threat unit at Secureworks, a cybersecurity firm, has highlighted the current transitional phase as an opportune moment for cybercriminals. He pointed out that the creation of new accounts for students and staff, as well as the school's approach to portable devices like laptops and tablets, can introduce vulnerabilities.

Smith explained, "Summer is a time when people are using their devices to have fun, play games, that sort of thing. If you've allowed teachers and pupils to take devices home, or let them bring their own, these devices may have picked up infections and malware that can come into the school and create a problem."

Last September, six schools within the same academy trust in Hertfordshire suffered internal system disruptions due to a cyberattack, occurring shortly after the new term had started. 

Additionally, just recently, Debenham High School in Suffolk fell victim to a hack that temporarily crippled all of its computer facilities, prompting technicians to work tirelessly to restore them before the commencement of the new term.

Schools are generally not the primary targets of concentrated cyberattack campaigns, unlike businesses, but they are considered opportunistic targets due to their comparatively less robust defenses. 

Don Smith emphasized that limited budgets and allocation priorities may result in schools having inadequate cybersecurity measures. Basic digital hygiene practices, such as implementing two-factor authentication and keeping software up to date, are crucial for safeguarding vital data.

Moreover, it is imperative for both students and teachers to be regularly educated about cybersecurity threats, including the importance of strong passwords, vigilance against suspicious downloads, and the ability to identify phishing attempts in emails. Mr. Smith noted that cybersecurity is no longer solely the responsibility of a small IT team; instead, all users are on the frontline, necessitating a general understanding of cybersecurity fundamentals.

A recent study revealed that one in seven 15-year-olds is susceptible to responding to phishing emails, especially those from disadvantaged backgrounds with weaker cognitive skills. Professor John Jerrim, the study's author, emphasized the need for increased efforts to help teenagers navigate the increasingly complex and perilous online landscape.

The National Cyber Security Centre, a division of GCHQ, has previously issued warnings regarding the growing prevalence of ransomware attacks targeting the education sector. Ransomware attacks involve criminals infiltrating a network and deploying malicious software that locks access to computer systems until a ransom is paid. Although ransomware attacks temporarily declined during the first quarter of 2023, they have been steadily increasing since then.

SonicWall, a cybersecurity company, emphasized that schools, being repositories of substantial data, are attractive targets for hackers pursuing financial and phishing scams. As schools rely more heavily on internet-based tools in the classroom, they must prioritize cybersecurity, both in terms of budget allocation and mindset, as the new school year approaches.

In response to these concerns, a spokesperson for the Department for Education affirmed that educational institutions bear the responsibility of being aware of cybersecurity risks and implementing appropriate measures. This includes establishing data backups and response plans to mitigate potential incidents.

"We monitor reports of all cyberattacks closely and in any case where there has been an attack, we instruct the department's regional team to offer support," they added. "There is no evidence to suggest that attacks like this are on the rise."

SonicWall Urges Admins to Fix SSLVPN SMA1000 Flaws

 

SonicWall is urging customers to fix multiple high-risk security vulnerabilities in its Secure Mobile Access (SMA) 1000 Series line of products, which might allow attackers to evade authorization and compromise unpatched devices. 

Enterprises utilise SonicWall SMA 1000 SSLVPN solutions to ease end-to-end secure remote access to business resources in on-premises, cloud, and hybrid data centre environments. The first bug (a high-severity unauthenticated access control bypass) has been assigned CVE-2022-22282, however, the other two (a hard-coded cryptographic key and an open redirect, both of medium severity) are currently awaiting a CVE ID. 

"SonicWall strongly urges that organizations using the SMA 1000 series products upgrade to the latest patch," the company says in a security advisory published this week. 

SonicWall, on the other hand, stated that no evidence of these vulnerabilities being exploited in the field was discovered. The vulnerabilities do not affect SMA 1000 series devices running versions prior to 12.4.0, SMA 100 series products, CMS, or remote access clients, according to the company. The following SMA 1000 Series models are affected by security flaws: 6200, 6210, 7200, 7210, and 8000v (ESX, KVM, Hyper-V, AWS, Azure). 

The most serious of the three flaws is CVE-2022-22282, which allows unauthenticated attackers to bypass access control and obtain access to internal resources. This vulnerability can be remotely exploited in low-complexity attacks that don't involve any user input. If left unpatched and abused by attackers, the hard-coded cryptographic key flaw can have catastrophic repercussions, allowing them to get access to encrypted passwords. 

According to MITRE's CWE database, "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question." 

Threat actors would most likely seek ways to compromise SMA 1000 series VPN appliances because they are utilised to protect remote connections into corporate networks. SonicWall also warned in July 2021 that end-of-life SMA 100 series and Secure Remote Access systems will be more vulnerable to ransomware assaults. 

SonicWall's products are used by over 500,000 commercial clients in 215 countries and territories across the world, with many of them deployed on the networks of government agencies and the world's major corporations.

SonicWall Patches Critical CVE-2021-20026 Vulnerability in NSM Product

 

A researcher at Positive Technologies has provided details about the CVE-2021-20026 command injection flaw that exploits SonicWall’s Network Security Manager (NSM) device. The flaw tracked as CVE-2021-20026 is rated with an 8.8 severity score and was patched in May 2021. 

SonicWall advised users to 'immediately' fix a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution which can be abused through specially crafted HTTP requests sent to the susceptible application. An attacker could exploit the flaw to execute arbitrary commands on the underlying operating system with root privileges.

The security flaw was discovered by Nikita Abramov, a researcher at Russian cybersecurity firm Positive Technologies, who explains that the flaw exists due to improper validation of input data which is directly passed to the operating system for processing.

Abramov explained that an attacker with authorization in NSM with a minimum level of privileges could potentially exploit the flaw to compromise the product. Threat actors can exploit this flaw to inject OS commands which will help them in securing access to all the features that the vulnerable on-premises SonicWall NSM platform has to offer, as well as to the entire underlying operating system.

NSM is a firewall management application that provides the ability to monitor and manage all network security services from a single interface, as well as to automate tasks to improve security operations. The product is available for on-premises deployments or as a SaaS offering.

“A successful attack on a vulnerable device requires authorization in NSM with a minimum level of privileges. SonicWall NSM allows centralized management of hundreds of devices. Tampering with this system may negatively impact a company’s ability to work, to the point of full disruption of its protection system and stopping of business processes,” Nikita Abramov, stated. 

The security flaw impacts the 2.2.0-R10 and earlier releases of on-premises SonicWall NSM and it has been addressed with the release of NSM 2.2.1-R6, which SonicWall customers are encouraged to install.

“As with Cisco ASA, successful attackers could disable access to the company’s internal network by blocking VPN connections, or write new network traffic policies thus fully preventing its checks by a firewall.” “Tampering with this system may negatively impact a company's ability to work, to the point of full disruption of its protection system and stopping of business processes,” Abramov added.

SonicWall Urges Customers to 'immediately' Patch NSM On-Prem Bug

 

SonicWall urges customers to “immediately” patch a post-authentication vulnerability that impacts on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.

The CVE-2021-20026 vulnerability affects NSM 2.2.0-R10-H1 and previous versions, and it was patched by SonicWall in NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions. It has an 8.8/10 severity rating from SonicWall, and authenticated intruders can use it for OS command injection in low-complexity attacks that don't require user interaction. 

The SonicWall stated, "This critical vulnerability potentially allows a user to execute commands on a device's operating system with the highest system privileges (root). This vulnerability only impacts on-premises NSM deployments, SaaS versions of NSM are not affected." 

SonicWall is urging consumers to patch their devices instantaneously, despite the fact that the business did not mention an immediate threat of attackers exploiting this vulnerability or active in the wild exploitation. 

"SonicWall customers who are running the on-premises NSM versions listed below should upgrade to the patched version as soon as possible," the company advised. 

When requested for comment by Bleeping Computer, SonicWall refused to provide any specifics about the active exploitation of CVE-2021-20026, instead responded with the information in the security advisory. 

Several SonicWall appliance vulnerabilities have been targeted by threat actors this year. Many of them are zero-days that were actively exploited in the wild before the company released fixes. SonicWall fixed an actively exploited zero-day vulnerability affecting the SMA 100 series of SonicWall networking devices in February. 

A financially motivated threat actor, which was tracked down by Mandiant threat analysts  as UNC2447, took advantage of another zero-day in SonicWall SMA 100 Series VPN appliances to spread newly found FiveHands ransomware on the networks of North American and European targets. 

In January, the same zero-day bug was exploited in assaults targeting SonicWall's internal systems, and it was afterward exploited indiscriminately in the wild. SonicWall patched three more zero-day vulnerabilities discovered in the wild in March, impacting the company's on-premises and hosted Email Security (ES) products. 

These zero-days were abused by a group known as UNC2682 to backdoor systems via BEHINDER web shells, allowing the attackers to travel laterally through their victims' networks and access emails and files, as Mandiant discovered researching the attacks.

New FiveHands Ransomware Deploy Into SonicWall Internal System

 

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware's actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company's internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant further added in a report published today.

SonicWall Breached via Zero-Day Flaw

 

SonicWall revealed on Friday night that, highly sophisticated threat actors assaulted its internal systems by abusing a probable zero-day flaw on the organization's secure remote access products. 

The Milpitas, Calif.- based platform security vendor said the undermined NetExtender VPN customer and SMB-situated Secure Mobile Access (SMA) 100 series items are utilized to give workers and clients remote access to internal resources. The SMA 1000 series is not susceptible to this assault and uses customers different from NetExtender, as indicated by SonicWall. 

SonicWall declined to respond to questions concerning whether the assault on its internal systems was done by the same threat actor who for quite a long time infused pernicious code into the SolarWinds Orion network monitoring tool. 

The organization, notwithstanding, noticed that it's seen a “dramatic surge” in cyberattacks against firms that give basic infrastructure and security controls to governments and organizations. The organization said it is giving relief suggestions to its channel accomplices and clients. Multi-factor authentication should be enabled on all SonicWall SMA, firewall and MySonicWall accounts, as indicated by SonicWall. 

Products compromised in the SonicWall break include: the NetExtender VPN customer variant 10.x (released in 2020) used to associate with SMA 100 series appliances and SonicWall firewalls; as well as SonicWall's SMA rendition 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance. SonicWall accomplices and clients utilizing the SMA 100 series ought to either utilize a firewall to just permit SSL-VPN connections with the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA straightforwardly itself, as per the organization. 

For firewalls with SSN-VPN access utilizing the undermined variant of the NetExtender VPN customer, accomplices and clients ought to either impair NetExtender access to the firewalls or limit access to clients and administrators through an allow list/whitelist for their public IPs, as per SonicWall. 

The networking gadget creator, whose items are regularly used to secure access to corporate networks, presently turns into the fourth security vendor to disclose a security breach in the course of recent months after FireEye, Microsoft, and Malwarebytes. Each of the three previous organizations was breached during the SolarWinds production network assault. CrowdStrike said it was targeted in the SolarWinds hack also, however, the assault didn't succeed.