Centripetal Networks observed 472,584 potential exploitation attempts from Iraq targeting a SonicWall VPN host only hours after SonicWall published advisory SNWLID-2020-0010[1]. Centripetal’s CleanINTERNET service was able to block all of these inbound attempts targeting the vulnerable infrastructure in order to defend the environment. This advisory was assigned CVE-2020-5135[2] with a CVSSv3 of 9.4 as it can be launched through unauthenticated traffic to establish Denial of Service and potentially Remote Code Execution conditions. At the time of the announcement, there were up to 800k potentially vulnerable SonicWall devices available on the Internet[3].
The 472k attacks were directed at the host and do not appear to be random port scans or otherwise expect Internet noise. These scans targeted TCP port 443 individually across all of the attempts and were launched in two very specific attack windows. The first scan comprised of 212k events, occurred on Monday, October 12th, 2020 at 10:53:49 UTC and continued until 16:51:38 UTC. The second scan was an additional 260k events beginning on Tuesday, October 13th, 2020 at 06:59:01 UTC and continued until 13:12:43 UTC. Again, all attacks targeted only TCP port 443 – interestingly there were 1,793 separate attacker IPs used to create this traffic.
It is worth noting that there were two ICMP events from Iraq as well, one before the scans and one after. These ICMP packets were blocked by the CleanINTERNET service as well to protect from reconnaissance based attacks.
Centripetal’s CleanINTERNET service was able to defend the network from attacks published only hours earlier through the power of applied Cyber Threat Intelligence.
Centripetal Network’s CleanINTERNET service is able to deliver proactive network protection by leveraging Cyber Threat Intelligence (CTI) to identify and prevent threats. Additionally, layering geographic based IP location allows the CleanINTERNET service to block attacks from undesirable or unwanted countries across the globe.
Timeline
- Monday, October 12th 2020: SonicWall releases SNWLID-2020-0010
- Monday, October 12th 2020 @ 10:53:49 UTC
-
- Attack began and targeted TCP port 443 only on the victim IP
- Utilized 512 separate attacking IPs from Iraq, attempting to evade firewalls
- 5.62.128.0/24 and 5.62.136.0/24 networks
- 212k attacks over this six hour period
- Tuesday, October 13th 2020 @ 06:59:01 UTC
- Second large attack against TCP 443 only again
- Utilized 1,281 separate IPs
- 260k additional attacks over another 8 hour period
References
-
[1] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010
-
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-5135
-
[3] https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/
