Networking device maker SonicWall sent out an urgent notice to its customers about “an imminent ransomware campaign using stolen credentials” that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware.
In addition to the notice posted to its website, SonicWall sent an email to anyone using SMA and SRA devices, urging some to disconnect their devices immediately. They worked with Mandiant and other security companies on the issue, according to the release.
“The exploitation targets a known vulnerability that has been patched in newer versions of firmware. SonicWall PSIRT strongly suggests that organizations still using 8.x firmware review the information below and take immediate action,” the company said, noting that this was for those with the SMA 100 and the older SRA series.
SonicWall urged their users to update to the latest available SRA and SMA firmware, explaining that those who don’t deal with the vulnerabilities are “at imminent risk of a targeted ransomware attack.”
Anyone using SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016) or SSL-VPN 200/2000/400 (EOL 2013/2014) should disconnect their appliances immediately and change all associated passwords.
“Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below. If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation,” SonicWall said.
“The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk. To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, we’re providing a complimentary virtual SMA 500v until October 31, 2021.”
SonicWall added that customers “should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials.”
SonicWall did not respond to questions about which ransomware groups were targeting the vulnerability, but earlier this year, researchers with NCC Group’s Incident Response team discovered a new variant of the FiveHands ransomware targeting SonicWall.
Cybersecurity firm FireEye said more than 100 organizations were targeted and some may have been infected even though SonicWall patched the SMA 100 series remote access product vulnerability in February 2021.
In a statement to ZDNet, SonicWall said, “Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021.”
“SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance. Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats,” the statement said.
“The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.”