WARNING: IMMINENT THREAT RANSOMWARE OPERATORS ARE EXPLOITING SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware
Reference:
Advisory #2020-013
Version:
1.0
Affected software:
SonicWall SRA 4600/1600 (EOL 2019)
SonicWall SRA 4200/1200 (EOL 2016)
SonicWall SSL-VPN 200/2000/400 (EOL 2013/2014)
SonicWall SMA 400/200 (Still Supported, in Limited Retirement Mode)
Type:
Credential Theft
Date:
15/07/2021
Sources
Risks
The Centre for Cyber security Belgium (CCB), is aware of an imminent ransomware threat targetting unpatched End-Of-Life SRA & SMA 8.X Remote Access Devices
Threat actor groups are leveraging stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.
Organisations that are using vulnerable SonicWall appliances must update or disconnect their devices immediately, and reset all passwords and/or enable MFA!
Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.
Recommended Actions
SRA 4600/1600 (EOL 2019) / SRA 4200/1200 (EOL 2016) / SSL-VPN 200/2000/400 (EOL 2013/2014)
- Disconnect immediately
- Reset passwords
SMA 400/200 (Still Supported, in Limited Retirement Mode)
- Update to 10.2.0.7-34 or 9.0.0.10 immediately
- Reset passwords
- Enable MFA
Remark: Whilst not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.
SMA 210/410/500v (Actively Supported)
- Firmware 9.x should immediately update to 9.0.0.10-28sv or later
- Firmware 10.x should immediately update to 10.2.0.7-34sv or later
General Advice
- The CCB advises administrators of vulnerable SonicWall appliances to follow the advice of Sonicwall as listed above.
- The CCB advises organisations to upscale monitoring and detection capabilities to detect any related suspicious activity to ensure a fast response in case of an intrusion.
- The CCB urges organisations to do periodical check of their infrastructure to detect EOL devices timely and to replace them with supported and secure appliances.