SonicWall Was Hacked. Was It Also Extorted?Hacker Claims SonicWall Paid Ransom; SonicWall Stays Silent
Cybersecurity companies advise their clients not to pay ransoms for good reasons: Pay once and the attackers may come back with their hand out again.
It also promotes a cybercrime business model: When one pays, it's likely that other victims may pay with the right pressure.
Curiously, SonicWall hasn't said much about the extent and damage of its own breach since its announcement. But there are strong indications that SonicWall may have been targeted by an extortion attempt.
But when a breach and subsequent extortion attempt actually happen, the reality is often a lot messier. Enter SonicWall. On Jan. 22, SonicWall said intruders had likely used zero-day vulnerabilities in its own remote access product, Secure Mobile Access, to access its own internal systems (see: SonicWall Investigating Zero-Day Attacks Against Its Products).
Since that time, SonicWall has issued a patch for a zero-day vulnerability and updates for its SMA 100 remote access product, including new firmware on Friday.
Curiously, SonicWall hasn't said much about the extent and damage of the breach since its announcement. But there are strong indications that SonicWall may have been targeted by an extortion attempt, and it is declining to answer if it paid a ransom.
A Soft Ransom Demand
SonicWall declined to answer questions from ISMG about this specific situation. But the company was made aware of the content of this column before publication. Instead, SonicWall sent this statement on Tuesday:
The first clue comes from a posting made on a well-known Russian-language cybercriminal forum. Just a day after SonicWall's announcement, a post went up from someone going by the nickname "SailorMorgan32," says Gene Yoo, CEO of Los Angeles-based Resecurity. Resecurity's Hunter Unit specializes in gaining intelligence from cybercrime actors via human intelligence and observing dark web forums.
The post offered for sale data purportedly stolen from SonicWall. SonicWall, the post says, could pay to claim the data. Otherwise, it would be sold to no more than five buyers at $500,000 each.
Purported to be in that data package is 4 terabytes of material including nondisclosure agreements, accounting and payroll documents plus 3 terabytes of source code.
There were also several screenshots. One appears to be SonicWall's internal Jira, which is project management and bug tracking software. Another screenshot shows a license management application related to SSL VPN, which is a way for remote users to access internal resources through a SonicWall firewall. Another shows a list of more than 30 SonicWall clients in a folder titled NDA, short for nondisclosure agreement. Yet another screenshot shows the first page of an NDA between SonicWall and Telefonica Brasil.
Other screenshots show folders with worrying names such as "Accounting - EMEA," which is a 6GB folder; "Accounting-International," which is almost 2GB; and "Finance," which is more than 9GBs. Some screenshots indicate that the SonicWall files have been copied into Mega's file-sharing application.
Mega and other file-sharing applications are sometimes installed by attackers to exfiltrate data since the traffic isn't always detected as malicious, according to the Crypsis Group.
The post quickly disappeared, however. It was up for two hours or less. Others who watch the forum relatively closely missed the forum post's brief appearance, but the images in SailorMorgan32's post are still in the forum's cache.
Not long afterward, SailorMorgan32 claimed in a private chat that SonicWall paid him around $5 million, according to an industry source who wishes to remain anonymous. The hacker then allegedly went on vacation, an action that's not unheard of after a cybercriminal hits a big payout.
Cybercriminals, however, often falsely boast of their successes, so why should anyone put any faith in what this person claims?
SailorMorgan32 appears to be cut from a different cloth: He's polite and appears to be well educated, says Alex Holden, CISO of Hold Security. Holden's company also monitors cybercriminal forums for clues of intrusions and data breaches at companies. The man is likely from Moldova.
"For a cybercriminal, he is a decent bad guy," Holden says. "He is someone who plays the long game."
SailorMorgan32 has been on this particular cybercrime forum for about two years. He buys and sells lists of login credentials that have been collected by those who run botnets. Credential theft remains one of the biggest sources for intrusions and is often the start for ransomware or extortion campaigns.
Holden says SailorMorgan32 typically sorted through those lists to extract the most valuable leads. Then, he sold the data to others for ransomware or extortion campaigns. He focused on making sure his customers were happy and there was no conflict, Holden says.
SailorMorgan32 specializes in supply chain attacks, looking for ways into systems through remote access channels such as Remote Desktop Protocol, Citrix and VPN systems, Yoo says. He has strong knowledge about offensive tools such as Cobalt Strike as well as techniques to penetrate into and retain access within Microsoft's Active Directory environment, which is the identity and access backbone for many organizations.
Over the past two years or so, SailorMorgan32 has written forum postings trying to sell access credentials to companies in Mexico, Germany, South Africa and the United States, Yoo says.
Other have also observed SailorMorgan32. The threat actor has been selling access to compromised organizations across Europe, North America and Latin America, says Mark Arena, CEO of Intel 471, a U.S.-based firm that specializes in cybercrime intelligence.
Often, hackers such as SailorMorgan32 will put compromised access credentials up for sale, Arena says. Then, known ransomware-as-a-service groups such as Pysa/Mespinoza and REvil/Sodinokibi will later claim to have attacked the same organizations. But often it's difficult to establish a firm link between the actors themselves and their relationships, he says.
Last year, SailorMorgan32 tried to sell access to a Spanish construction company. That company's data later turned up on the REvil ransomware blog, Arena says. It's unclear if it was a collaboration or rather a coincidence, he says.
So is SailorMorgan32 telling the truth about being paid off by SonicWall to not release a load of data?
SonicWall did not respond to questions sent by ISMG, including even a question on what its policy is on paying ransoms. Generally, SonicWall has advised other companies that paying a ransom should be "last on your list" of options.
There are many things you can do to nip #ransomware in the bud, last on your list should be paying the ransom. In fact, a new OFAC advisory states that paying a ransom can be an illegal act. Explore the current #ransomware landscape with SonicWall https://t.co/pnlLWMfdlT pic.twitter.com/KJActPDMhS— SonicWall (@SonicWall) January 2, 2021
If SonicWall didn't pay a ransom and SailorMorgan32 is bluffing, it's puzzling why SonicWall wouldn't take the opportunity to quash the suggestion. But plenty of organizations have gone the route of paying a ransom, and most of those payments never become public.
Frustratingly, the cycle of breach, extortion and ransom continues.