Security News > 2023 > March > Suspected Chinese cyber spies target unpatched SonicWall devices

Suspected Chinese cyber spies target unpatched SonicWall devices
2023-03-09 02:26

Suspected Chinese cyber criminals have zeroed in on unpatched SonicWall gateways and are infecting the devices with credential-stealing malware that persists through firmware upgrades, according to Mandiant.

The spyware targets the SonicWall Secure Mobile Access 100 Series - a gateway device that provides VPN access to remote users.

"Working in partnership with Mandiant, the SonicWall Product Security and Incident Response Team confirmed a persistent threat actor campaign leveraging malware against unpatched SonicWall Secure Mobile Access Series 100 appliances. While not tied to a new or specific vulnerability, SonicWall urges organizations to be proactive in updating to the most recent SMA 100 series firmware, which includes additional hardening and security controls."

"The joint investigation revealed that the devices had known exploited vulnerabilities going back as far as 2019 and were not remediated until 2021," the SonicWall spokesperson confirmed.

"The investigation revealed that the unpatched devices were vulnerable to known exploited vulnerabilities, including CVE-2021-20016, CVE-2021-20028, CVE-2019-7483 and CVE-2019-7481.".

Carmakal also commended SonicWall for the firmware update, which "Will better enable organizations to detect compromised devices," and said he hopes "More vendors push out similar code to their devices." .


News URL

https://go.theregister.com/feed/www.theregister.com/2023/03/09/suspected_chinese_cyberspies_target_uppatched/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-08-04 CVE-2021-20028 SQL Injection vulnerability in Sonicwall products
Improper neutralization of a SQL Command leading to SQL Injection vulnerability impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware and 9.0.0.9-26sv or earlier
network
low complexity
sonicwall CWE-89
critical
9.8
2021-02-04 CVE-2021-20016 SQL Injection vulnerability in Sonicwall products
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information.
network
low complexity
sonicwall CWE-89
critical
9.8
2019-12-19 CVE-2019-7483 Path Traversal vulnerability in Sonicwall SMA 100 Firmware 9.0.0.0/9.0.0.3
In SonicWall SMA100, an unauthenticated Directory Traversal vulnerability in the handleWAFRedirect CGI allows the user to test for the presence of a file on the server.
network
low complexity
sonicwall CWE-22
7.5
2019-12-17 CVE-2019-7481 SQL Injection vulnerability in Sonicwall SMA 100 Firmware 9.0.0.0/9.0.0.3
Vulnerability in SonicWall SMA100 allow unauthenticated user to gain read-only access to unauthorized resources.
network
low complexity
sonicwall CWE-89
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Sonicwall 113 0 41 74 38 153