Tuesday, August 9, 2022

Breaking news: SonicWall warns of ‘imminent’ ransomware campaign against certain devices

SonicWall has issued an urgent warning of an “imminent” ransomware to users of its Secure Mobile Access (SMA) and Secure Remote Access (SRA) products.

“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials,” the company said Wednesday. “The exploitation targets a known vulnerability that has been patched in newer versions of firmware.”

End-of-life devices with 8.x firmware cannot be mitigated. “Continued use of this firmware or end-of-life devices is an active security risk,” the alert says. To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, SonicWall is providing a complimentary virtual SMA 500v until October 31st.

The company stressed the notice is specifically for the SMA 100 and the older SRA series (reference lists for current SMA products and end-of-life products). SMA 1000 series products are not affected by this notice.

IT departments with SRA and/or SMA 100 series with 9.x and 10.x firmware should continue to follow best practices such as update to the latest available SMA firmware or update to the latest SRA firmware, and enable multifactor authentication.

Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a ransomware attack, the notice repeated.

UPDATE:  In a statement the company said this exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. “SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance.  

“Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.”

Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances:

  • SRA 4600/1600 (EOL 2019)
    • Disconnect immediately
    • Reset passwords
  • SRA 4200/1200 (EOL 2016)
    • Disconnect immediately
    • Reset passwords
  • SSL-VPN 200/2000/400 (EOL 2013/2014)
    • Disconnect immediately
    • Reset passwords
  • SMA 400/200 (Still Supported, in Limited Retirement Mode)
    • Update to 10.2.0.7-34 or 9.0.0.10 immediately
    • Reset passwords
    • Enable MFA

While not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate other vulnerabilities discovered in early 2021.

  • SMA 210/410/500v (Actively Supported)
    • Firmware 9.x should immediately update to 9.0.0.10-28sv or later
    • Firmware 10.x should immediately update to 10.2.0.7-34sv or later

This is not the first recent warning by the company of an issue with SMA 100 devices. In January it confirmed a critical zero-day vulnerability in SMA 100 series devices running firmware with version 10.x code.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.