19 July 2021

HelloKitty ransomware gang is hunting for vulnerable SonicWall devices


HelloKitty ransomware gang is hunting for vulnerable SonicWall devices

Last week, the network equipment vendor SonicWall released a security notice warning its customers of “imminent” ransomware campaign targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) appliances with end-of-life 8.x firmware.

The company said that attackers are targeting an old SQL injection vulnerability in SonicWall SRA that allows to execute arbitrary SQL queries in database. The issue affects SRA appliances running all 8.x firmware or an old version of firmware 9.x (9.0.0.9-26sv or earlier) and has been fixed in recent versions of the firmware.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned of ongoing ransomware attacks attempting to exploit known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

Neither SonicWall nor CISA did not share any details regarding a threat actor behind this campaign, however, according to Bleeping Computer, the HelloKitty ransomware gang has been exploiting the vulnerability in a recent series of attacks.

In its June report the cybersecurity firm Coveware said the Babuk ransomware gang is also targeting SonicWall devices, namely SonicWall VPNs, likely vulnerable to CVE-2020-5135. Although this flaw was patched by vendor in October 2020, it still is being heavily abused by ransomware groups.

UNC2447 is another cybercrime group that targeted vulnerabilities in SonicWall equipment in the past. In particular, the gang abused the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy the FiveHands ransomware.


Back to the list

Latest Posts

Cyber security week in review: August 12, 2022

Cyber security week in review: August 12, 2022

The cybersecurity world in brief: Twilio, Cloudflare targeted in a phishing attack, Microsoft fixes a Windows zero-day bug, and more.
12 August 2022
Pro-Ukraine cybercriminal forum offers DDoS attacks against orgs in Russia, Belarus

Pro-Ukraine cybercriminal forum offers DDoS attacks against orgs in Russia, Belarus

It seems that DUMPS Forum's primary focus is to support the Ukrainian war effort against Russia.
11 August 2022
Exploit code published online for a critical VMware vulnerability

Exploit code published online for a critical VMware vulnerability

A proof-of-concept code for the vulnerability along with technical analysis has been published by a security researcher.
10 August 2022