Security researchers are warning that cybercriminals are leveraging an older SQL injection security flaw, known as CVE-2019-7481. The vulnerability is located in SonicWall Secure Remote Access (SRA) 4600 devices that run firmware versions 8.x and 9.x.
CVE-2019-7481 Currently Used in Attacks against Organizations
The vulnerability is used in attacks against various organizations. According to CrowdStrike’s recent investigations, there is evidence indicating a root cause via VPN access, without the use of brute force techniques. “These investigations have a common denominator: All organizations used SonicWall SRA VPN appliances running 220.127.116.11 firmware,” CrowdStrike said.
CrowdStrike Intelligence researchers confirmed that CVE-2019-7481 affects SRA devices running the latest versions of 8.x and 9.x firmware, and that the latest versions of Secure Mobile Access (SMA) firmware do not mitigate the CVE for SRA devices, the security company added.
The increased reliance on VPN devices has led to various criminal organizations using loopholes in these devices’ security to breach organizations. Examples include the eCrime group and various nation-state actors. In relation to the 2019 vulnerability, the research team has identified “big game hunting (BGH) ransomware actors” exploiting this vulnerability against older SonicWall SRA 4600 VPN devices during various incident response investigations.
Furthermore, in February, SonicWall’s Product Security Incident Response Team announced a new zero-day vulnerability, CVE-2021-20016, impacting its SMA (Secure Mobile Access) devices. The newly discovered vulnerability affects the SMA 100 series product, and updates are required for versions running 10.x firmware. “SonicWall did not state if or how this newest exploit affects any older SRA VPN devices still in production environments,” CrowdStrike pointed out.
According to the official technical description, CVE-2019-7481 is a vulnerability in SonicWall SMA100 that could allow unauthenticated user to gain read-only access to unauthorized resources.
CVE-2021-22893 Pulse Secure VPN Bug Exploited in April
In April, another VPN zero-day was actively exploited by threat actors. CVE-2021-22893 is classified as a critical zero-day in Pulse Secure VPN devices, and it has been exploited by nation-state hackers in attacks against US defense, finance, and government targets. Attacks against European targets were observed, according to a Pulse Secure advisory. The zero-day allowed remote code execution attacks with admin-level access to vulnerable devices.