Ransomware attackers are leveraging old SonicWall SRA flaw (CVE-2019-7481)

Since the beginning of the year, various cyber attackers leveraged a slew of zero-day vulnerabilities to compromise different SonicWall solutions. Crowdstrike now warns that a cyber-criminal group is exploiting CVE-2019-7481 – an older SQL injection vulnerability affecting SonicWall Secure Remote Access (SRA) 4600 devices running firmware versions 8.x and 9.x – to penetrate organizations’ networks.

“In some recent investigations, CrowdStrike’s Incident Response team has had correlative evidence indicating a root cause via VPN access without brute forcing. These investigations have a common denominator: All organizations used SonicWall SRA VPN appliances running 9.0.0.5 firmware,” researchers Heather Smith and Hanno Heinrichs noted.

Why is this happening?

VPN devices have become a mainstay for organizations looking to provide remote employees with contolled access needed to do their jobs – as well as a favorite target for both cyber criminals and nation-state actors.

Support for SonicWall SRA 4600 devices ended on 1 November 2019 and, since then, the company has been advising customers to upgrade to a newer, supported device line (Secure Mobile Access – SMA). But we all know that unsupported devices are often not promptly replaced, so the SonicWall PSIRT also told customers that older SRA devices could be patched by implementing SMA firmware updates.

Unfortunately, it turns out that firmware version 9.0.0.5, the recommended patch prescribed for SMA devices in 2019, did not fix CVE-2019-7481 in SRA devices.

With public proof of concept and code being available for this flaw, it’s no wonder that attackers attempted to leverage it.

What should you do?

Companies that still run SRA devices should check which firmware version they are using and check their logs for indicators of compromise.

“While SonicWall’s recommendation is to upgrade any legacy SRA devices to the 10.x versioning recommended in light of the 2021 zero-day disclosure, CrowdStrike would additionally recommend that organizations consider replacing any legacy models for newer devices that are in-scope for vendor testing and support,” the researchers added.

Aside from that, they advise organizations to protecting VPN access and other apps, portals and email open to remote access with multi-factor authentication, and to implement endpoint detection and response (EDR) software to stymie attackers that might pass that first barrier.

UPDATE – June 15, 2021, 01:12 p.m. PT

The names of the authors of the Crowdstrike blog post referenced in the article have been added.