SonicWall, majorly a cybersecurity company issued an urgent security notice to the customers of an imminent Ransomware attack targeting their network products – Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) appliances which are running unpatched and end-of-life 8.x firmware.
In newer versions of firmware, released in early 2021, the known vulnerability has been patched.
SonicWall Official Product Notification on Ransomware Attack:
SonicWall firmly warned all the organizations and businesses which are still using these vulnerable appliances to take speedy action by updating to the latest firmware immediately to the product. And suggested enabling multi-factor authentications or terminating the products which are past end-of-life status having issues to update new firmware to keep off the ransomware attack.
The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk, SonicWall alerted.
Also, the network equipment maker advised resetting all the passwords related to their vulnerable devices and other systems or devices that are using the same credentials (Source: here).
For more details about resolution and mitigations, please visit SonicWall official security notice.
SonicWall Recommendations for the Ransomware Attack on their Appliances:
SonicWall recommended the below resolution based on the product used:
- SRA 4600/1600 (EOL 2019)
- Disconnect immediately
- Reset passwords
- SRA 4200/1200 (EOL 2016)
- Disconnect immediately
- Reset passwords
- SSL-VPN 200/2000/400 (EOL 2013/2014)
- Disconnect immediately
- Reset passwords
- SMA 400/200 (Still Supported, in Limited Retirement Mode)
- Update to 10.2.0.7-34 or 9.0.0.10 immediately
- Reset passwords
- Enable MFA
While not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.
- SMA 210/410/500v (Actively Supported)
- Firmware 9.x should immediately update to 9.0.0.10-28sv or later
- Firmware 10.x should immediately update to 10.2.0.7-34sv or later
Ransomware Attack on SonicWall’s Appliances registered in CVE Database:
Reports appeared last month about the warning towards the remote access vulnerabilities in SonicWall product SRA 4600 VPN appliances turning out to be a primary access vector for a ransomware attack to break corporate global networks. It is listed out in the CVE security vulnerability database, designated as – CVE-2019-7481 as an unauthenticated user can gain read-only access to resources by performing SQL injection.
The company also appreciated Mandiant, an American cybersecurity firm, and their team for identifying the threat and participating in this matter.
Previous Ransomware Attacks on SonicWall’s Appliances:
This is not new for the SonicWall company, as their devices were previously affected by the ransomware attacks.
In April 2021, the hacking group of Mandiant exploited a zero-day defect in their device SMA 100 Series VPN appliances (CVE-2021-20016), earlier before being patched. The hackers deployed a new strain of ransomware payloads known as FiveHands on the North American and European organization’s networks.
Also in January 2021, the company faced the same zero-day vulnerability in the device, attacking their internal systems and later exploited randomly in the wild.
Three more zero-day flaws were uncovered by the Mandiant in March 2021, on SonicWall on-premises and hosted Email Security (ES) products allowing the hackers to gain access to the victim’s networks, emails, and files.
Found this article interesting? Follow DefenseLead on Twitter and Facebook to read more exclusive content.