SINOBI

RANSOMWARE

SINOBI is a sophisticated ransomware group primarily targeting large enterprises and organizations within critical infrastructure sectors such as finance, healthcare, and telecommunications. Their preferred initial access vector involves exploiting publicly-facing applications, particularly those of SonicWall and Oracle products, leveraging high-severity vulnerabilities like CVE-2025-61882 and CVE-2024-53704 to gain entry into networks. Once inside, SINOBI employs a double extortion tactic, encrypting sensitive data and exfiltrating it to cloud storage services before demanding ransom payments. This group stands out due to its strategic exploitation of critical vulnerabilities and the use of advanced techniques like PowerShell scripting for lateral movement and persistence.

SINOBI's technical footprint is characterized by a heavy reliance on remote access methods such as RDP, coupled with the exploitation of known vulnerabilities in SonicWall SSL VPNs and Oracle E-Business Suite. The group’s use of valid accounts (T1078) and command-line scripting (T1059.001) indicates a high level of operational sophistication. Defenders should prioritize patch management for critical CVEs, particularly those affecting remote access services and web applications, to mitigate the risk of SINOBI's initial access vectors. Additionally, implementing robust cloud security measures can help prevent data exfiltration through cloud storage services.

Confirmed CVEs (3)

Exploited by this group as confirmed by threat intelligence sources.

CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing 9.8 CVE-2024-53704 CRITICAL SonicWall SonicOS 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS 9.8

Predicted CVEs (60) CORRELATION

How does prediction work?

Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.

CVE-2020-2021 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2024-3400 CRITICAL Palo Alto Networks PAN-OS predicted 10.0 CVE-2025-20337 CRITICAL Cisco Identity Services Engine Software low 10.0 CVE-2021-20038 CRITICAL SonicWall SMA100 predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center low 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ low 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW low 9.8 CVE-2024-36401 CRITICAL geoserver low 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery low 9.8 CVE-2024-50603 CRITICAL Aviatrix Controller low 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure low 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) low 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow low 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 low 9.8 CVE-2024-4577 CRITICAL PHP Group PHP low 9.8 CVE-2025-23006 CRITICAL SonicWall SMA1000 predicted 9.8 CVE-2020-5135 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2021-20021 CRITICAL SonicWall Email Security predicted 9.8 CVE-2021-20028 CRITICAL SonicWall SRA/SMA100 predicted 9.8 CVE-2021-20016 CRITICAL SonicWall SMA100 predicted 9.8 CVE-2023-46604 CRITICAL Apache Software Foundation Apache ActiveMQ predicted 9.8 CVE-2025-61882 CRITICAL Oracle Corporation Oracle Concurrent Processing predicted 9.8 CVE-2022-21587 CRITICAL Oracle Corporation Web Applications Desktop Integrator predicted 9.8 CVE-2025-22457 CRITICAL Ivanti Connect Secure predicted 9.8 CVE-2025-31324 CRITICAL SAP_SE SAP NetWeaver (Visual Composer development server) predicted 9.8 CVE-2021-20038 CRITICAL SonicWall SMA100 predicted 9.8 CVE-2025-53770 CRITICAL Microsoft SharePoint Enterprise Server 2016 predicted 9.8 CVE-2021-20021 CRITICAL SonicWall Email Security predicted 9.8 CVE-2025-23006 CRITICAL SonicWall SMA1000 predicted 9.8 CVE-2024-4577 CRITICAL PHP Group PHP predicted 9.8 CVE-2021-20016 CRITICAL SonicWall SMA100 predicted 9.8 CVE-2023-22527 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22515 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2023-22518 CRITICAL Atlassian Confluence Data Center predicted 9.8 CVE-2024-0012 CRITICAL Palo Alto Networks Cloud NGFW predicted 9.8 CVE-2022-26501 CRITICAL Veeam Backup & Replication predicted 9.8 CVE-2024-40711 CRITICAL Veeam Backup and Recovery predicted 9.8 CVE-2021-20028 CRITICAL SonicWall SRA/SMA100 predicted 9.8 CVE-2025-3248 CRITICAL langflow-ai langflow predicted 9.8 CVE-2024-53704 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2024-40766 CRITICAL SonicWall SonicOS predicted 9.8 CVE-2025-0282 CRITICAL Ivanti Connect Secure predicted 9.0 CVE-2025-49704 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 8.8 CVE-2025-4428 HIGH Ivanti Endpoint Manager Mobile low 8.8 CVE-2022-26500 HIGH Veeam Backup & Replication predicted 8.8 CVE-2020-3259 HIGH Cisco Adaptive Security Appliance (ASA) Software low 7.5 CVE-2025-5777 HIGH NetScaler ADC low 7.5 CVE-2023-27532 HIGH Veeam Backup & Replication predicted 7.5 CVE-2020-3259 HIGH Cisco Adaptive Security Appliance (ASA) Software predicted 7.5 CVE-2025-61884 HIGH Oracle Corporation Oracle Configurator predicted 7.5 CVE-2025-4427 HIGH Ivanti Endpoint Manager Mobile low 7.5 CVE-2025-5777 HIGH NetScaler ADC predicted 7.5 CVE-2024-38094 HIGH Microsoft SharePoint Enterprise Server 2016 predicted 7.2 CVE-2021-20022 HIGH SonicWall Email Security predicted 7.2 CVE-2021-20022 HIGH SonicWall Email Security predicted 7.2 CVE-2024-9474 HIGH Palo Alto Networks Cloud NGFW predicted 7.2 CVE-2025-49706 MEDIUM Microsoft SharePoint Enterprise Server 2016 predicted 6.5 CVE-2020-3580 MEDIUM Cisco Adaptive Security Appliance (ASA) Software predicted 6.1 CVE-2021-20023 MEDIUM SonicWall Email Security predicted 4.9 CVE-2021-20023 MEDIUM SonicWall Email Security predicted 4.9

ATT&CK Techniques (25)

T1078 Valid Accounts Initial Access T1190 Exploit Public-Facing Application Initial Access T1566 Phishing Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Execution T1106 Native API Execution T1203 Exploitation for Client Execution Execution T1569.002 System Services: Service Execution Execution T1543.003 Create or Modify System Process: Windows Service Persistence T1068 Exploitation for Privilege Escalation Privilege Escalation T1027 Obfuscated Files or Information Defense Evasion T1070 Indicator Removal Defense Evasion T1070.004 Indicator Removal: File Deletion Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools Defense Evasion T1046 Network Service Discovery Discovery T1083 File and Directory Discovery Discovery T1087.002 Account Discovery: Domain Account Discovery T1021.001 Remote Services: Remote Desktop Protocol Lateral Movement T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration T1573.001 Encrypted Channel: Symmetric Cryptography Command and Control T1486 Data Encrypted for Impact Impact T1489 Service Stop Impact T1490 Inhibit System Recovery Impact T1587.001 Develop Capabilities: Malware Resource Development T1588.002 Obtain Capabilities: Tool Resource Development