SonicWall Ransomware Compromise

Cyber Security and Incident Response Advisory ā€“ Updated 16 July 2021

SonicWall are a large provider of internet appliances aimed at content control and network security.

On Thursday 15 July 2021, SonicWall issued an urgent security notice letting customers know that they have been made aware of threat actors targeting Secure Mobile Access (SMA) 100 and Secure Remote Access (SRA) products running unpatched and end of life (EOL) firmware 8.X.  Those with this firmware still in use are considered vulnerable and in an imminent ransomware campaign utilising stolen credentials.

The exploit used in this attack has been patched in newer versions of firmware.

Recommendations

Sonic wall has released the following mitigation strategies for affected products.

SRA 4600/1600 (EOL 2019)

  • Disconnect appliance immediately
  • Reset Passwords

SRA 4200/1200 (EOL 2016)

  • Disconnect appliance immediately
  • Reset Passwords

SSL-VPN 200/2000/400 (EOL 2013/2014)

  • Disconnect appliance immediately
  • Reset Passwords

SMA 400/200 (Still Supported, in Limited Retirement Mode)

  • Update to 10.2.0.7-34 or 9.0.0.10 immediately
  • Reset passwords
  • Enable MFA

SonicWall recommends that users of the following products also ensure that they are on the latest firmware to mitigate vulnerabilities found in early 2021.

SMA 210/410/500v (Actively Supported)

  • Firmware 9.x should immediately update to 9.0.0.10-28sv or later
  • Firmware 10.x should immediately update to 10.2.0.7-34sv or later

SonicWall advise that all affected end of life devices with 8.x firmware are past temporary mitigations. They also advice If you are currently using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation. Any continued use of the affected firmware or end of life devices is an active security risk.

As an additional mitigation step SonicWALL recommend all credentials associated with SMA or SRA devices or any other devices/systems using the same credentials should change them and enable MFA where possible.

References

SonicWall

https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/

Government Advisories

CISA – Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products

CERT NZ – SonicWall EOL Devices Targeted by Ransomware


This Advisory is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Advisory. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.

Traffic Light Protocol = White