HelloKitty ransomware hackers are exploiting unpatched SonicWall implementations

In a recent statement, the Cybersecurity and Infrastructure Security Agency (CISA) publicly acknowledges its concern about the activity of some hacking groups currently abusing a flaw previously addressed in SonicWall Secure Mobile Access (SMA) and Secure Remote Access (SRA) that are no longer supported. The Agency notes that threat actors could abuse this flaw to deploy highly targeted ransomware attacks. 

CISA’s announcement comes days after SonicWall issued a security alert related to what they identified as “imminent risk of ransomware attack.” The company did not openly acknowledge the detection of incidents in the wild, although CISA was clear regarding the identification of active attacks.

The Agency advised users of affected deployments to review the security alert published by SonicWall, in addition to deploying updates in appropriate cases, or disconnect devices that will no longer be supported.

These security alerts do not include details about the identity of the threat actors behind the exploit attempts, although some members of the cybersecurity community have attributed this activity to the ransomware group that operates the variant known as HelloKitty. On this specific ransomware variant, specialists mention that this is a ransomware operation detected in late 2020 and that it would have been responsible for the attack on video game developers CD Projekt Red, an incident that led to the theft of the source code of releases such as Cyberpunk 2077 or Witcher 3.

Regarding the attack on affected implementations of SonicWall, security specialist Heather Smith claims that hackers exploited a flaw identified as CVE-2019-7481, a claim confirmed by SonicWall when publishing its alert: “This exploitation targets a known vulnerability that was addressed in the most recent firmware versions,” the company says.

This isn’t the only threat SonicWall users face. A previous security report notes that a hacking group identified as UNC2447 has been exploiting CVE-2021-20016, a vulnerability in SonicWall SMA 100 Series VPN devices. This group is responsible for the deployment of FiveHands, a ransomware variant that, like HelloKitty, was developed from the DeathRansom malware.

Hacking incidents related to this group were detected mainly in North America and Europe. The vulnerability was addressed last February, so that cases of exploitation were significantly reduced.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.