170 SonicVPN Accesses Sold on a Cybercrime Forum

XVigil identified a post, advertising 170 SonicVPN accesses for USD 2,000. Threat actors have been targeting SonicVPN frequently, which puts these accesses at a high risk of being exploited.
Updated on
April 19, 2023
Published on
June 13, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Threat Type: Access Motivation: Financial Region: Global Source*: D4

Executive Summary

THREAT IMPACT MITIGATION
  • 170 SonicVPN accesses for sale on a cybercrime forum.
  • Threat actor claims to have sold all 170 of the accesses.
  • The accesses could enable other threat actors to gain entry to the organizations’ networks.
  • SonicVPN announced their latest patches for the newly discovered exploits.
  • Patching vulnerable and exploitable endpoints.
CloudSEK’s contextual AI digital risk platform XVigil identified a post, advertising 170 SonicVPN accesses for USD 2,000. Threat actors have been targeting SonicVPN frequently, which puts these accesses at a high risk of being exploited.

Analysis and Attribution

Information from Cybercrime Forum

  • On 4 June 2022, a threat actor published a post on a cybercrime forum, advertising 170 accesses, allegedly belonging to SonicVPN.
  • The accesses provided by the actor was on sale for USD 2,000.
  • Within a few hours of publishing the post, the threat actor updated that all 170 accesses had been sold, and that the topic could be considered closed.
[caption id="attachment_19528" align="alignnone" width="1306"]Threat actor’s post on the cybercrime forum, selling the SonicVPN accesses Threat actor’s post on the cybercrime forum, selling the SonicVPN accesses[/caption] [caption id="attachment_19529" align="alignnone" width="1246"]Threat actor’s post on the cybercrime forum, after selling the SonicVPN accesses Threat actor’s post on the cybercrime forum, after selling the SonicVPN accesses[/caption]

Threat Actors Actively Target SonicVPN in 2022

Threat actors have been actively targeting VPNs because they serve as initial access gateways into corporations. Owing to the demand for SonicVPN accesses among ransomware groups, initial access brokers (IABs) have been advertising SonicVPN accesses across cybercrime forums. Examples of posts on cybercrime forums targeting SonicWall Devices:

SonicWall SSL/VPN Exploit for Sale on Cybercrime Forum

  • Date: 09 Feb 2022
  • Post: After the disclosure of a SonicWall vulnerability, a threat actor was found offering exploits with a custom made panel. This panel came with improved bugs, increased speed, and stability.
  • Impact: Threat actors can buy this exploit and custom panel to execute stack-based buffer overflow attacks on victims.

300+ SonicVPN Accesses Shared by Threat Actor

  • Date: 24 Feb 2022
  • Post: A threat actor had scraped search engines such as Shodan and private data breaches, and shared a list of more than 300 SonicVPN accesses.
  • Impact: Threat actors can use this data to target the 300 users/ organizations using SonicVPN.

Threat Actor Sells Scripts to Hunt for Vulnerable SonicVPN Instances

  • Date: 12 Apr 2022
  • Post: A threat actor was selling a script that provided comprehensive and automated scanning of Forti and SonicWall networks for vulnerabilities and to check the validity of the credit. When a list of IP credentials are provided to the Python script, it fetches log directories.
  • Impact: Threat actors can use this script to identify and target vulnerable SonicWall instances.
[caption id="attachment_19530" align="alignnone" width="1302"]Groups actively seeking out accesses to SonicVPN Groups actively seeking out accesses to SonicVPN[/caption]     IABs on cybercrime forums are actively advertising the sale of SonicVPN accesses to organizations across regions, industries, and revenue ranges. [caption id="attachment_19531" align="alignnone" width="1305"]Initial Access Brokers actively advertising the sale of SonicVPN Initial Access Brokers actively advertising the sale of SonicVPN[/caption]  

Recent Vulnerabilities in SonicVPN / Sonic Firewall

There have been recent disclosures for SonicVPN and Sonic Firewall vulnerabilities. Threat actors can exploit these vulnerabilities using mass scanners and leveraging proof of concepts sold or shared on cybercrime forums.

CVE-2022-22274

  • CVSS score: 9.4
  • Affected Product: SonicOS
  • Vulnerability: Multiple firewall appliances were found to be vulnerable to a stack-based buffer overflow vulnerability that can cause code execution or DoS attacks via HTTP request.

CVE-2022-0778

  • CVSS score: 7.5
  • Affected Products: SonicWall Edge Appliances (NGFW, SMA) and VPN Clients
  • Vulnerability: A Denial of Service vulnerability was discovered in the OpenSSL library, caused by a specially crafted certificate with invalid elliptic curve parameter which causes an infinite loop.

CVE-2022-22282

  • CVSS score: 8.2
  • Affected Products: SonicWall SSL VPN SMA1000
  • Vulnerability: Incorrectly restricted access to a resource using HTTP connections from an unauthorized actor leading to Improper Access Control vulnerability.

CVE-2022-1701

  • CVSS score: 5.7
  • Affected Products: SonicWall SSL VPN SMA1000
  • Vulnerability: Use of shared and hard-coded encryption key.

CVE-2022-1702

  • CVSS score: 6.1
  • Affected Products: SonicWall SSL VPN SMA1000
  • Vulnerability: Accepts a user-controlled input that specifies a link to an external site and uses that link in a redirect which leads to Open redirection vulnerability.
 

Impact & Mitigation

Impact Mitigation
  • VPN credentials could enable other attackers to gain access to organizations’ networks.
  • The exposed Personally Identifiable Information (PII) could enable threat actors to orchestrate social engineering schemes, phishing attacks, and even identity theft.
  • The exposed confidential details could reveal business practices and intellectual property.
  • It could equip malicious actors to launch sophisticated ransomware attacks.
  • Update SonicVPN with the latest patches for newly discovered exploits.
  • Check for possible workarounds and patches while keeping ports open.
  • Implement a strong password policy and enable MFA (multi-factor authentication) across logins.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations