HelloKitty ransomware gang targets vulnerable SonicWall devices

BleepingComputer became aware that the recent wave of attacks targeting vulnerable SonicWall devices was carried out by HelloKitty ransomware operators.

SonicWall this week has issued an urgent security alert to warn companies of “an imminent ransomware campaing” targeting some of its equipment that reached end-of-life (EoL).

Threat actors could target unpatched devices belonging to Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) families.

“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.” reads the alert published by the company. “The exploitation targets a known vulnerability that has been patched in newer versions of firmware.”

The company states that organizations that fail to address known vulnerabilities in the firmware of SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.

The network equipment vendor is now urging customers to update the firmware of their devices as soon as possible.

CISA also warned of ransomware attacks attempting to exploit known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

Both SonicWall and CISA did not provide details about the threat actors behind these attacks, but BleepingComputer became aware that HelloKitty ransomware gang has been exploiting the issue in a recent wave of attacks.

“While CISA and SonicWall did not reveal the identity of the threat attackers behind these attacks, BleepingComputer was told by a source in the cybersecurity industry that HelloKitty has been exploiting the vulnerability for the past few weeks.” reported BleepingComputer.

Bleeping computer also added that CrowdStrike confirmed that several three actors, including HelloKitty ransomware operators, are attempting to exploit a flaw tracked as CVE-2019-7481.

Other groups targeted known vulnerabilities in SonicWall devices in the past, such as the UNC2447 cybercrime gang that exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 Series VPN appliances to deliver the FiveHands ransomware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HelloKitty ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]