The Department of Homeland Security (DHS CISA) Cybersecurity and Infrastructure Protection Agency (DHS CISA) has warned that attackers are attacking a “known, previously patched vulnerability” in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with outdated firmware. The experts add that attackers can exploit this vulnerability for targeted ransomware attacks.
As a reminder, last week SonicWall issued an urgent warning to their customers, announcing an “imminent ransomware campaign” that will target products that have already been discontinued. CISA now urges users and administrators to review this SonicWall notice and update their devices’ firmware or disable them immediately if this is not possible.
Although CISA and SonicWall do not talk about which hack groups are behind the attacks, Bleeping Computer’s own sources say that this is the HelloKitty ransomware, which has been actively exploiting the mentioned vulnerability over the past several weeks. This information was confirmed by employees of CrowdStrike company, saying that the attacks are carried out by several attackers, including HelloKitty.
The HelloKity ransomware has been active since November 2020 and is mainly known for its attack on CD Projekt Red , where hackers claimed to have stolen the source code of Cyberpunk 2077, Witcher 3, Gwent and other games.
Although the experts are not talking about the exact vulnerability used to hack the SMA and SRA, a CrowdStrike specialist told reporters that the problem has the identifier CVE-2019-7481. This is an interesting fact, as SonicWall stated that the vulnerability “was fixed in newer firmware versions released in early 2021.” Whereas CrowdStrike believes that there is a problem under the attacks that was discovered and fixed back in 2019.