19 July 2021

HelloKitty ransomware gang is hunting for vulnerable SonicWall devices


HelloKitty ransomware gang is hunting for vulnerable SonicWall devices

Last week, the network equipment vendor SonicWall released a security notice warning its customers of “imminent” ransomware campaign targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) appliances with end-of-life 8.x firmware.

The company said that attackers are targeting an old SQL injection vulnerability in SonicWall SRA that allows to execute arbitrary SQL queries in database. The issue affects SRA appliances running all 8.x firmware or an old version of firmware 9.x (9.0.0.9-26sv or earlier) and has been fixed in recent versions of the firmware.

The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned of ongoing ransomware attacks attempting to exploit known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

Neither SonicWall nor CISA did not share any details regarding a threat actor behind this campaign, however, according to Bleeping Computer, the HelloKitty ransomware gang has been exploiting the vulnerability in a recent series of attacks.

In its June report the cybersecurity firm Coveware said the Babuk ransomware gang is also targeting SonicWall devices, namely SonicWall VPNs, likely vulnerable to CVE-2020-5135. Although this flaw was patched by vendor in October 2020, it still is being heavily abused by ransomware groups.

UNC2447 is another cybercrime group that targeted vulnerabilities in SonicWall equipment in the past. In particular, the gang abused the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy the FiveHands ransomware.


Back to the list

Latest Posts

Malicious actors target Kubernetes clusters via Argo Workflows

Malicious actors target Kubernetes clusters via Argo Workflows

In the observed attacks the threat actors deployed a popular cryptocurrency mining container, kannix/monero-miner.
26 July 2021
Kaseya obtains a decryptor for victims of the REvil ransomware attack

Kaseya obtains a decryptor for victims of the REvil ransomware attack

It's not clear, if the company paid any ransom.
23 July 2021
Chinese cyber-spies use hacked routers in attacks against French organizations

Chinese cyber-spies use hacked routers in attacks against French organizations

The hackers are hijacking home routers to build a proxy botnet in order to hide the origins of their attacks.
22 July 2021