Search This Blog

Showing posts with label SonicWall. Show all posts

SonicWall Urges Customers to 'immediately' Patch NSM On-Prem Bug

 

SonicWall urges customers to “immediately” patch a post-authentication vulnerability that impacts on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution.

The CVE-2021-20026 vulnerability affects NSM 2.2.0-R10-H1 and previous versions, and it was patched by SonicWall in NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions. It has an 8.8/10 severity rating from SonicWall, and authenticated intruders can use it for OS command injection in low-complexity attacks that don't require user interaction. 

The SonicWall stated, "This critical vulnerability potentially allows a user to execute commands on a device's operating system with the highest system privileges (root). This vulnerability only impacts on-premises NSM deployments, SaaS versions of NSM are not affected." 

SonicWall is urging consumers to patch their devices instantaneously, despite the fact that the business did not mention an immediate threat of attackers exploiting this vulnerability or active in the wild exploitation. 

"SonicWall customers who are running the on-premises NSM versions listed below should upgrade to the patched version as soon as possible," the company advised. 

When requested for comment by Bleeping Computer, SonicWall refused to provide any specifics about the active exploitation of CVE-2021-20026, instead responded with the information in the security advisory. 

Several SonicWall appliance vulnerabilities have been targeted by threat actors this year. Many of them are zero-days that were actively exploited in the wild before the company released fixes. SonicWall fixed an actively exploited zero-day vulnerability affecting the SMA 100 series of SonicWall networking devices in February. 

A financially motivated threat actor, which was tracked down by Mandiant threat analysts  as UNC2447, took advantage of another zero-day in SonicWall SMA 100 Series VPN appliances to spread newly found FiveHands ransomware on the networks of North American and European targets. 

In January, the same zero-day bug was exploited in assaults targeting SonicWall's internal systems, and it was afterward exploited indiscriminately in the wild. SonicWall patched three more zero-day vulnerabilities discovered in the wild in March, impacting the company's on-premises and hosted Email Security (ES) products. 

These zero-days were abused by a group known as UNC2682 to backdoor systems via BEHINDER web shells, allowing the attackers to travel laterally through their victims' networks and access emails and files, as Mandiant discovered researching the attacks.

New FiveHands Ransomware Deploy Into SonicWall Internal System

 

Earlier this year, money-oriented cybercriminals leveraged a zero-day vulnerability that has been introduced by SonicWall in its Secure Mobile Access (SMA) 100 Series VPN appliances to install advanced ransomware studied as FiveHands, victims are reported to be North American and European networks. 

The operation was traced by FireEye’s Mandiant cyber analysts as “UNC2447’’. Analysts unit has informed that the group took advantage of the CVE-2021-20016 SonicWall bug to breach networks and further install FiveHands ransomware payloads before the vendor released patches in late February 2021. Further, the report also reads that the threat actor poses advanced skills in exploiting networks. 

Additionally, over the past half a year, a brand new cyber hacker group has been noticed to be exploiting a wide range of malware and creating pressure on ransomware victims into making payments. 

Previously in similar contexts, FireEye reported that the cyber attackers have been deploying ransomware families and malware such as FiveHands (a variant of the DeathRansom ransomware), Sombrat, the Cobalt Strike beacon, the Warprism PowerShell dropper, and FoxGrabber, additionally the new ransomware's actions also demonstrated signs of RagnarLocker and HelloKitty ransomware affiliation. 

“When affiliate-based ransomware is observed by Mandiant, uncategorized clusters are assigned based on the infrastructure used, and in the case of UNC2447 were based on the Sombrat and Cobalt Strike Beacon infrastructure used across 5 intrusions between November 2020 and February 2021,” FireEye reported. 

The group deployed a critical SQL injection flaw in SonicWall SMA100 series devices, which will give remote access to attackers and further, access to login credentials, session information, and other vulnerable appliances. 

The existence of the vulnerability was first observed in January 2021, when SonicWall warned its customers that the company's internal system has been attacked in a cyber operation that may have targeted zero-day vulnerabilities in the company’s secure remote access devices. CVE-2021-20016 was patched in February 2021 by SonicWall, however, FireEye reported that UNC2447 had exploited it before the patch was released. 

"UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums," Mandiant further added in a report published today.

SonicWall Breached via Zero-Day Flaw

 

SonicWall revealed on Friday night that, highly sophisticated threat actors assaulted its internal systems by abusing a probable zero-day flaw on the organization's secure remote access products. 

The Milpitas, Calif.- based platform security vendor said the undermined NetExtender VPN customer and SMB-situated Secure Mobile Access (SMA) 100 series items are utilized to give workers and clients remote access to internal resources. The SMA 1000 series is not susceptible to this assault and uses customers different from NetExtender, as indicated by SonicWall. 

SonicWall declined to respond to questions concerning whether the assault on its internal systems was done by the same threat actor who for quite a long time infused pernicious code into the SolarWinds Orion network monitoring tool. 

The organization, notwithstanding, noticed that it's seen a “dramatic surge” in cyberattacks against firms that give basic infrastructure and security controls to governments and organizations. The organization said it is giving relief suggestions to its channel accomplices and clients. Multi-factor authentication should be enabled on all SonicWall SMA, firewall and MySonicWall accounts, as indicated by SonicWall. 

Products compromised in the SonicWall break include: the NetExtender VPN customer variant 10.x (released in 2020) used to associate with SMA 100 series appliances and SonicWall firewalls; as well as SonicWall's SMA rendition 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance. SonicWall accomplices and clients utilizing the SMA 100 series ought to either utilize a firewall to just permit SSL-VPN connections with the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA straightforwardly itself, as per the organization. 

For firewalls with SSN-VPN access utilizing the undermined variant of the NetExtender VPN customer, accomplices and clients ought to either impair NetExtender access to the firewalls or limit access to clients and administrators through an allow list/whitelist for their public IPs, as per SonicWall. 

The networking gadget creator, whose items are regularly used to secure access to corporate networks, presently turns into the fourth security vendor to disclose a security breach in the course of recent months after FireEye, Microsoft, and Malwarebytes. Each of the three previous organizations was breached during the SolarWinds production network assault. CrowdStrike said it was targeted in the SolarWinds hack also, however, the assault didn't succeed.