SonicWall has issued an urgent warning of an “imminent” ransomware to users of its Secure Mobile Access (SMA) and Secure Remote Access (SRA) products.
“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials,” the company said Wednesday. “The exploitation targets a known vulnerability that has been patched in newer versions of firmware.”
End-of-life devices with 8.x firmware cannot be mitigated. “Continued use of this firmware or end-of-life devices is an active security risk,” the alert says. To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, SonicWall is providing a complimentary virtual SMA 500v until October 31st.
The company stressed the notice is specifically for the SMA 100 and the older SRA series (reference lists for current SMA products and end-of-life products). SMA 1000 series products are not affected by this notice.
IT departments with SRA and/or SMA 100 series with 9.x and 10.x firmware should continue to follow best practices such as update to the latest available SMA firmware or update to the latest SRA firmware, and enable multifactor authentication.
Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a ransomware attack, the notice repeated.
UPDATE: In a statement the company said this exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. “SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance.
“Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.”
Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances:
- SRA 4600/1600 (EOL 2019)
- Disconnect immediately
- Reset passwords
- SRA 4200/1200 (EOL 2016)
- Disconnect immediately
- Reset passwords
- SSL-VPN 200/2000/400 (EOL 2013/2014)
- Disconnect immediately
- Reset passwords
- SMA 400/200 (Still Supported, in Limited Retirement Mode)
- Update to 10.2.0.7-34 or 9.0.0.10 immediately
- Reset passwords
- Enable MFA
While not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate other vulnerabilities discovered in early 2021.
- SMA 210/410/500v (Actively Supported)
- Firmware 9.x should immediately update to 9.0.0.10-28sv or later
- Firmware 10.x should immediately update to 10.2.0.7-34sv or later
This is not the first recent warning by the company of an issue with SMA 100 devices. In January it confirmed a critical zero-day vulnerability in SMA 100 series devices running firmware with version 10.x code.