This post has been updated with a statement from SonicWall below

SonicWall has issued an urgent security notice warning users of unpatched End-Of-Life (EOL) SRA & SMA 8.X remote access devices that they have been made aware of an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of SonicWall firmware.

In addition to the notice posted to its website, SonicWall sent out an email to anyone using SMA and SRA devices, urging some to disconnect specific devices (see below under Mitigation) immediately.

SonicWall

SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.

Devices at risk

The devices that the security notice mentions are running 8.x versions of the firmware. Because these versions have reached their end of life they are unpatched. The notice mentions by type:

  • Secure Mobile Access (SMA) 100 series
  • Older Secure Remote Access (SRA) series

A lifecycle table for these products can be found here.

Vulnerability

In its report, SonicWall reports that ransomware attacks are being launched against these products using a known vulnerability in the 8.x firmware. This vulnerability has been patched in the later 9.x and 10.x firmware versions. It describes continuing to use its end-of-life products or 8.x firmware as “an active security risk” and at “imminent risk of a targeted ransomware attack”.

It is unclear which ransomware variant was caught targeting these devices, but last month NCC Group’s Incident Response team observed a new variant of the FiveHands ransomware using an externally facing SonicWall VPN appliance as the initial access vector.

Mitigation

The notice mentions the following products along with recommended actions:

  • SRA 4600/1600 (EOL 2019) disconnect immediately and reset passwords.
  • SRA 4200/1200 (EOL 2016) disconnect immediately and reset passwords.
  • SSL-VPN 200/2000/400 (EOL 2013/2014) disconnect immediately and reset passwords.
  • SMA 400/200 Update to 10.2.0.7-34 or 9.0.0.10 immediately, reset passwords, and enable MFA.
  • SMA 210/410/500v (Actively Supported) update firmware to 9.0.0.10-28sv or later, or to 10.2.0.7-34sv or later.

Additionally, users are advised to immediately reset all credentials associated with SMA or SRA devices, as well as any other devices or systems that use the same credentials.

After Malwarebytes Labs published this story, SonicWall released the following public statement:

“This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance.

Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.”

As is often the case, there is no rocket science here, just security bread and butter. That doesn’t mean that doing security is easy, but it does show the importance of staying on top of some basics: Using any product that’s out of support and unable or unlikely to get security updates is security risk that only gets worse over time; Using out of date software or firmware with known security vulnerabilities is similarly risky; and, as ever, it’s wise you use multifactor authentication (MFA) wherever you can.

Security devices as a way in

In the continuous wave of ransomware attacks you may have noticed a trend where the software and devices that are designed to keep you safe, are being used to establish the opposite. This year we have seen Pulse Secure vulnerabilities exploited in the wild, CISA warnings about successful attacks targeting a number of years-old vulnerabilities, and the colossal Kaseya supply-chain attack, among others.

Even when this may seem ironic, it does make sense. Cybercriminals will obviously use any available entrance into their target’s network. And defenses that control in- and outbound traffic like VPN’s, firewalls, and routers are attractive, privileged targets that users are often reluctant to bring down for maintenance. Vulnerabilities in these systems are golden opportunities for cybercriminals. So, it shouldn’t need any explanation why it is imperative to patch or remove such vulnerable devices as soon as possible.

Stay safe, everyone!