Full Report
It’s an endless drumbeat: cyber news of legacy firewalls being targeted, most often by nation-state attackers. Over the past several months, we’ve seen reports of China-linked group Storm-1849 spending the month of October attacking Cisco ASA firewalls. SonicWall on Nov. 19 sent out an advisory to its customers about a high-severity vulnerability in its SonicOS…
Analysis Summary
# Threat Actor: Storm-1849
## Attribution & Identity
* **Attribution:** China-linked group.
* **Known Aliases and Associated Groups:** Not explicitly listed in the provided text, other than the established designation "Storm-1849."
## Activity Summary
* **Recent Campaigns:** Storm-1849 was reported to be actively targeting Cisco ASA firewalls throughout the month of October.
* **Associated Activity:** The text also notes separate, but contextually related, activity indicating a state-sponsored threat attributed to a different entity targeting SonicWall firewall backups in September (specific actor for the SonicWall incident is not named but is described as "state-sponsored").
## Tactics, Techniques & Procedures
* **Specific TTPs Mentioned:** Targeting and exploiting vulnerabilities in legacy firewall hardware/software platforms.
* Exploiting Cisco ASA firewalls.
* Exploiting high-severity vulnerabilities in SonicOS (though the specific actor for the SonicOS vulnerability is not Storm-1849).
* **MITRE ATT&CK IDs:** None provided in the source text.
## Targeting
* **Sectors:** The context implies **Critical Infrastructure** and organizations utilizing specific network perimeter defenses.
* **Geography:** Not explicitly defined in the summary, but the actor is described as "China-linked."
* **Victims:**
* Organizations utilizing **Cisco ASA firewalls**.
* (Separately) SonicWall customers whose MySonicWall accounts were breached.
## Tools & Infrastructure
* **Malware Families Used:** None specified.
* **Infrastructure (C2, Domains, IPs):** None specified.
## Implications
The continuous targeting of legacy firewalls by nation-state adversaries signifies a sustained strategic effort to gain initial access into victim networks. Exploits targeting these widely deployed perimeter security devices (like Cisco ASA) often indicate a focus on widespread compromise or high-value intelligence gathering.
## Mitigations
* Patching and updating firewall operating systems (e.g., addressing high-severity vulnerabilities reported for SonicOS).
* Inventorying and managing legacy firewall hardware (such as Cisco ASA) that may be targeted by known state-sponsored groups.
* Defending against supply chain/account compromises related to vendor management portals (as seen in the SonicWall backup file exposure).