Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Sonicwall SRA 4600 Targeted By an Old Vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sonicwall SRA 4600 Targeted By an Old Vulnerability

Devices and applications used to provide remote access are juicy targets. I've already been involved in many ransomware cases and most of the time, the open door was an unpatched VPN device/remote access solution or weak credentials. A good example, the recent attack against the Colonial Pipeline that started with a legacy VPN profile[1].

A group of attackers is targeting Sonicwall devices through the vulnerability described in CVE-2019-7481. Yes, a vulnerability from 2019! It affects Sonicwall SRA ("Secure Remote Access") 4600 devices running firmware versions 8.x and 9.x. Crowdstrike published a nice blog post about this vulnerability[2].

If you run a Sonicwall device affected by this vulnerability, please review your current firmware and patch!

[1] https://www.hsgac.senate.gov/imo/media/doc/Testimony-Blount-2021-06-08.pdf
[2] https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London August 2021

Xme

617 Posts
ISC Handler
Jun 11th 2021

Sign Up for Free or Log In to start participating in the conversation!