Source: www.securityweek.com – Author: Ionut Arghire
A recently observed surge in ransomware attacks targeting SonicWall firewalls for initial access suggests that a potential zero-day vulnerability is exploited, security researchers warn.
Google Threat Intelligence Group (GTIG) was the first to warn of the new wave of activity in mid-July, when it noted that login information stolen in previous attacks was likely used to compromise SonicWall appliances that had been fully patched against known vulnerabilities.
As part of the observed incidents, the threat actors were deploying a new backdoor/user-mode rootkit dubbed Overstep, which was designed to modify the device’s boot process for persistence and data theft.
At the same time, GTIG noted that the threat actor behind the attacks, tracked as UNC6148, “may have used an unknown zero-day remote code execution vulnerability to deploy Overstep on opportunistically targeted SonicWall SMA appliances”.
In early August, cybersecurity firms Arctic Wolf and Huntress issued fresh alerts on cyberattacks targeting SonicWall appliances to bypass MFA, and SonicWall acknowledged the surge in activity, noting it was looking into the potential exploitation of a zero-day.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” SonicWall said on Monday.
Arctic Wolf said it has observed attacks involving VPN access through SonicWall SSL VPNs, and that collected evidence points to a zero-day flaw.
“In some instances, fully patched SonicWall devices were affected following credential rotation. Despite TOTP MFA being enabled, accounts were still compromised in some instances,” the company said.
Advertisement. Scroll to continue reading.
Huntress too warns of successful attacks against appliances with MFA enabled, noting that the threat actors were seen pivoting to domain controllers within hours after initial access.
“During our investigation into telemetry related to this activity, we’ve found evidence to suggest that this compromise may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. We can confirm that the suspected vulnerability exists in firmware versions 7.2.0-7015 and earlier,” Huntress said.
The campaign is targeting Gen 7 SonicWall firewalls with SSLVPN enabled, and SonicWall recommends that customers disable SSLVPN services, limit the SSLVPN connectivity to trusted IPs, enable security services to detect threat activity, enforce MFA, remove unused accounts, and ensure that all passwords are updated.
“Please remain vigilant and apply the above mitigations immediately to reduce exposure while we continue our investigation,” SonicWall noted.
Related: SonicWall Patches Critical SMA 100 Vulnerability, Warns of Recent Malware Attack
Related: Apple Patches Safari Vulnerability Flagged as Exploited Against Chrome
Related: High-Severity Flaws Patched in Chrome, Firefox
Related: New ‘ResolverRAT’ Targeting Healthcare, Pharmaceutical Organizations
Original Post URL: https://www.securityweek.com/sonicwall-hunts-for-zero-day-amid-surge-in-firewall-exploitation/
Category & Tags: Vulnerabilities,Featured,firewall,Ransomware,SonicWall,Zero-Day – Vulnerabilities,Featured,firewall,Ransomware,SonicWall,Zero-Day
Views: 7
