Last week, the network equipment vendor SonicWall released a security notice warning its customers of “imminent” ransomware campaign targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) appliances with end-of-life 8.x firmware.
The company said that attackers are targeting an old SQL injection vulnerability in SonicWall SRA that allows to execute arbitrary SQL queries in database. The issue affects SRA appliances running all 8.x firmware or an old version of firmware 9.x (18.104.22.168-26sv or earlier) and has been fixed in recent versions of the firmware.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned of ongoing ransomware attacks attempting to exploit known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.
Neither SonicWall nor CISA did not share any details regarding a threat actor behind this campaign, however, according to Bleeping Computer, the HelloKitty ransomware gang has been exploiting the vulnerability in a recent series of attacks.
In its June report the cybersecurity firm Coveware said the Babuk ransomware gang is also targeting SonicWall devices, namely SonicWall VPNs, likely vulnerable to CVE-2020-5135. Although this flaw was patched by vendor in October 2020, it still is being heavily abused by ransomware groups.
UNC2447 is another cybercrime group that targeted vulnerabilities in SonicWall equipment in the past. In particular, the gang abused the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy the FiveHands ransomware.