The Expert's View with Jeremy Kirk

SonicWall Was Hacked. Was It Also Extorted?

Hacker Claims SonicWall Paid Ransom; SonicWall Stays Silent
SonicWall Was Hacked. Was It Also Extorted?
Inside SonicWall's headquarters in Milpitas, California. (Photo: Arctecinc)

Cybersecurity companies advise their clients not to pay ransoms for good reasons: Pay once and the attackers may come back with their hand out again.

See Also: Illumination Summit: Poker & Cybersecurity: A Game of Skill, Not Luck

It also promotes a cybercrime business model: When one pays, it's likely that other victims may pay with the right pressure.

Curiously, SonicWall hasn't said much about the extent and damage of its own breach since its announcement. But there are strong indications that SonicWall may have been targeted by an extortion attempt. 

But when a breach and subsequent extortion attempt actually happen, the reality is often a lot messier. Enter SonicWall. On Jan. 22, SonicWall said intruders had likely used zero-day vulnerabilities in its own remote access product, Secure Mobile Access, to access its own internal systems (see: SonicWall Investigating Zero-Day Attacks Against Its Products).

Since that time, SonicWall has issued a patch for a zero-day vulnerability and updates for its SMA 100 remote access product, including new firmware on Friday.

Curiously, SonicWall hasn't said much about the extent and damage of the breach since its announcement. But there are strong indications that SonicWall may have been targeted by an extortion attempt, and it is declining to answer if it paid a ransom.

A Soft Ransom Demand

SonicWall declined to answer questions from ISMG about this specific situation. But the company was made aware of the content of this column before publication. Instead, SonicWall sent this statement on Tuesday:

SonicWall's statement.

The first clue comes from a posting made on a well-known Russian-language cybercriminal forum. Just a day after SonicWall's announcement, a post went up from someone going by the nickname "SailorMorgan32," says Gene Yoo, CEO of Los Angeles-based Resecurity. Resecurity's Hunter Unit specializes in gaining intelligence from cybercrime actors via human intelligence and observing dark web forums.

The post offered for sale data purportedly stolen from SonicWall. SonicWall, the post says, could pay to claim the data. Otherwise, it would be sold to no more than five buyers at $500,000 each.

SailorMorgan32's original posting, offering SonicWall's data back to the company itself or to other people for $500,000.

Purported to be in that data package is 4 terabytes of material including nondisclosure agreements, accounting and payroll documents plus 3 terabytes of source code.

There were also several screenshots. One appears to be SonicWall's internal Jira, which is project management and bug tracking software. Another screenshot shows a license management application related to SSL VPN, which is a way for remote users to access internal resources through a SonicWall firewall. Another shows a list of more than 30 SonicWall clients in a folder titled NDA, short for nondisclosure agreement. Yet another screenshot shows the first page of an NDA between SonicWall and Telefonica Brasil.

Other screenshots show folders with worrying names such as "Accounting - EMEA," which is a 6GB folder; "Accounting-International," which is almost 2GB; and "Finance," which is more than 9GBs. Some screenshots indicate that the SonicWall files have been copied into Mega's file-sharing application.

Mega and other file-sharing applications are sometimes installed by attackers to exfiltrate data since the traffic isn't always detected as malicious, according to the Crypsis Group.

One screenshot shows what appears to be SonicWall's Jira system.

The post quickly disappeared, however. It was up for two hours or less. Others who watch the forum relatively closely missed the forum post's brief appearance, but the images in SailorMorgan32's post are still in the forum's cache.

Alleged Payout

Not long afterward, SailorMorgan32 claimed in a private chat that SonicWall paid him around $5 million, according to an industry source who wishes to remain anonymous. The hacker then allegedly went on vacation, an action that's not unheard of after a cybercriminal hits a big payout.

Cybercriminals, however, often falsely boast of their successes, so why should anyone put any faith in what this person claims?

SailorMorgan32 uploaded this screenshot which appears to be a batch of internal SonicWall files.

SailorMorgan32 appears to be cut from a different cloth: He's polite and appears to be well educated, says Alex Holden, CISO of Hold Security. Holden's company also monitors cybercriminal forums for clues of intrusions and data breaches at companies. The man is likely from Moldova.

"For a cybercriminal, he is a decent bad guy," Holden says. "He is someone who plays the long game."

A screenshot that shows the device licensing manager source code for SonicWall's SSL VPN

SailorMorgan32 has been on this particular cybercrime forum for about two years. He buys and sells lists of login credentials that have been collected by those who run botnets. Credential theft remains one of the biggest sources for intrusions and is often the start for ransomware or extortion campaigns.

Holden says SailorMorgan32 typically sorted through those lists to extract the most valuable leads. Then, he sold the data to others for ransomware or extortion campaigns. He focused on making sure his customers were happy and there was no conflict, Holden says.

SailorMorgan32 specializes in supply chain attacks, looking for ways into systems through remote access channels such as Remote Desktop Protocol, Citrix and VPN systems, Yoo says. He has strong knowledge about offensive tools such as Cobalt Strike as well as techniques to penetrate into and retain access within Microsoft's Active Directory environment, which is the identity and access backbone for many organizations.

Over the past two years or so, SailorMorgan32 has written forum postings trying to sell access credentials to companies in Mexico, Germany, South Africa and the United States, Yoo says.

Other have also observed SailorMorgan32. The threat actor has been selling access to compromised organizations across Europe, North America and Latin America, says Mark Arena, CEO of Intel 471, a U.S.-based firm that specializes in cybercrime intelligence.

Often, hackers such as SailorMorgan32 will put compromised access credentials up for sale, Arena says. Then, known ransomware-as-a-service groups such as Pysa/Mespinoza and REvil/Sodinokibi will later claim to have attacked the same organizations. But often it's difficult to establish a firm link between the actors themselves and their relationships, he says.

Last year, SailorMorgan32 tried to sell access to a Spanish construction company. That company's data later turned up on the REvil ransomware blog, Arena says. It's unclear if it was a collaboration or rather a coincidence, he says.

So is SailorMorgan32 telling the truth about being paid off by SonicWall to not release a load of data?

SonicWall did not respond to questions sent by ISMG, including even a question on what its policy is on paying ransoms. Generally, SonicWall has advised other companies that paying a ransom should be "last on your list" of options.

If SonicWall didn't pay a ransom and SailorMorgan32 is bluffing, it's puzzling why SonicWall wouldn't take the opportunity to quash the suggestion. But plenty of organizations have gone the route of paying a ransom, and most of those payments never become public.

Frustratingly, the cycle of breach, extortion and ransom continues.



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.