www.belgium.be Logo of the federal government

WARNING: IMMINENT THREAT RANSOMWARE OPERATORS ARE EXPLOITING SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware

Reference: 
Advisory #2020-013
Version: 
1.0
Affected software: 
SonicWall SRA 4600/1600 (EOL 2019)
SonicWall SRA 4200/1200 (EOL 2016)
SonicWall SSL-VPN 200/2000/400 (EOL 2013/2014)
SonicWall SMA 400/200 (Still Supported, in Limited Retirement Mode)
Type: 
Credential Theft

Sources

 

Risks

The Centre for Cyber security Belgium (CCB), is aware of an imminent ransomware threat targetting unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
 
Threat actor groups are leveraging  stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.
 
Organisations that are using vulnerable SonicWall appliances must update or disconnect their devices immediately, and reset all passwords and/or enable MFA! 
 
Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack. 
 

Recommended Actions

 
SRA 4600/1600 (EOL 2019) / SRA 4200/1200 (EOL 2016) / SSL-VPN 200/2000/400 (EOL 2013/2014)
  •     Disconnect immediately 
  •     Reset passwords
 
SMA 400/200 (Still Supported, in Limited Retirement Mode)
  •     Update to 10.2.0.7-34 or 9.0.0.10 immediately
  •     Reset passwords
  •     Enable MFA
Remark: Whilst not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.
 
SMA 210/410/500v (Actively Supported)
  •     Firmware 9.x should immediately update to 9.0.0.10-28sv or later
  •     Firmware 10.x should immediately update to 10.2.0.7-34sv or later
 General Advice
 
  • The CCB advises administrators of vulnerable SonicWall appliances to follow the advice of Sonicwall as listed above.
  • The CCB advises organisations to upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion. 
  • The CCB urges organisations to do periodical check of their infrastructure to detect EOL devices timely and to replace them with supported and secure appliances.

References