SonicWall has issued an “urgent security notice” warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. “Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials,” the company said. According to SonicWall, the attacks target a known vulnerability patched in newer versions of firmware, and they do not impact SMA 1000 series products. “Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack,” SonicWall warns. Companies still using EoL SMA and/or SRA devices with 8.x firmware are urged to update the firmware immediately or disconnect the appliances as soon as possible to fend off the critical risk of ransomware attacks. Customers using actively supported SMA 210/410/500v devices with the vulnerable 8.x firmware targeted in these attacks are also advised to immediately update to the latest version, which mitigates vulnerabilities discovered in early 2021. “As additional mitigation, you should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials,” SonicWall adds. “As always, we strongly recommend enabling multifactor authentication (MFA).” While the company says the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel said the ransomware campaign is ongoing. CrowdStrike security researcher Heather Smith also told reporters that the vulnerability targeted in these attacks is tracked as CVE-2019-7481. “CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices,” the researchers said in a report published in June. They added that “the ability to leverage the vulnerability to affect SRA devices was previously undisclosed by SonicWall.” SonicWall also published a security advisory with additional details, crediting CrowdStrike’s Heather Smith and Hanno Heinrichs (the researchers behind the June report) with reporting the issue impacting end-of-life SRA and SMA products.
Keeping up with security patches and notices from vendors and manufacturers is a critically important practice in maintaining secure systems. The risk is especially severe when the product is a VPN or other remote access device, or any server that accepts connections from the Internet and allows connectivity to the internal network. Depending on the product they use, SonicWall recommends organizations to:
SRA 4600/1600 (EOL 2019), Disconnect immediately and reset passwords.
SRA 4200/1200 (EOL 2016), Disconnect immediately and reset passwords.
SSL-VPN 200/2000/400 (EOL 2013/2014), Disconnect immediately, and reset passwords.
SMA 400/200 (Still Supported, in Limited Retirement Mode), Update to 10.2.0.7-34 or 22.214.171.124 immediately, reset passwords and enable MFA.