SonicWall warns of 'critical' ransomware risk to SMA 100 VPN appliances

SonicWall has issued an "urgent security notice" warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

"Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials," the company said.

According to SonicWall, the attacks target a known vulnerability patched in newer versions of firmware, and they do not impact SMA 1000 series products.

"Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack," SonicWall warns.

Disconnect or update affected devices

Companies still using EoL SMA and/or SRA devices with 8.x firmware are urged to update the firmware immediately or disconnect the appliances as soon as possible to fend off the critical risk of ransomware attacks.

Customers using actively supported SMA 210/410/500v devices with the vulnerable 8.x firmware targeted in these attacks are also advised to immediately update to the latest version, which mitigates vulnerabilities discovered in early 2021.

"As additional mitigation, you should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials," SonicWall adds. "As always, we strongly recommend enabling multifactor authentication (MFA)."

Depending on the product they use, SonicWall recommends organizations to:

  • SRA 4600/1600 (EOL 2019)
    • Disconnect immediately 
    • Reset passwords
  • SRA 4200/1200 (EOL 2016)
    • Disconnect immediately
    • Reset passwords
  • SSL-VPN 200/2000/400 (EOL 2013/2014)
    • Disconnect immediately
    • Reset passwords
  • SMA 400/200 (Still Supported, in Limited Retirement Mode)
    • Update to 10.2.0.7-34 or 9.0.0.10 immediately
    • Reset passwords
    • Enable MFA

SonicWall shared the following statement with BleepingComputer regarding the attacks.

"Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance.  

Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk." - SonicWall

BleepingComputer had also asked what ransomware operation was utilizing the vulnerability but was told that they could not provide that info.

SonicWall email to customers
SonicWall email to customers (Bryan Cobb)

Vulnerability targeted in ongoing attacks

While the company says the risk of ransomware attacks is imminent, Coveware CEO Bill Siegel said the ransomware campaign is ongoing.

CrowdStrike security researcher Heather Smith also told BleepingComputer that the vulnerability targeted in these attacks is tracked as CVE-2019-7481.

"CrowdStrike Services incident response teams identified eCrime actors leveraging an older SonicWall VPN vulnerability, CVE-2019-7481, that affects Secure Remote Access (SRA) 4600 devices," the researchers said in a report published in June.

They added that "the ability to leverage the vulnerability to affect SRA devices was previously undisclosed by SonicWall."

SonicWall also published a security advisory with additionals details, crediting CrowdStrike's Heather Smith and Hanno Heinrichs (the researchers behind the June report) with reporting the issue impacting end-of-life SRA and SMA products.

SonicWall devices previously targeted by ransomware

In April, threat actors also exploited a zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy a new ransomware strain known as FiveHands on the networks of North American and European targets.

This threat group, tracked by Mandiant as UNC2447, exploited the CVE-2021-20016 SonicWall vulnerability to breach systems and deliver FiveHands ransomware payloads before SonicWall released patches in late February 2021.

The same zero-day was also abused in attacks targeting SonicWall's internal systems in January and later exploited indiscriminately in the wild.

In March, Mandiant threat analysts discovered three more zero-day vulnerabilities in SonicWall's on-premises and hosted Email Security (ES) products.

These zero-days were also actively exploited by a group tracked as UNC2682 to backdoor systems using BEHINDER web shells, allowing them to move laterally through victims' networks and gain access to emails and files.

Update July 15, 05:29EDT: Added info on the CVE-2019-7481 vulnerability targeted in these ongoing attacks.

Related Articles:

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

US offers up to $15 million for tips on ALPHV ransomware gang

KuCoin charged with AML violations that let cybercriminals launder billions

Ransomware as a Service and the Strange Economics of the Dark Web