DESCRIPTION:
Through the course of collaboration with trusted third parties, including Mandiant, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.
SonicWall PSIRT strongly suggests that organizations still using 8.x firmware review the information below and take immediate action.
- This notice is specifically for the SMA 100 and the older SRA series (reference lists for current SMA products and end-of-life products).
- SMA 1000 series products are not affected by this notice (reference current SMA products and end-of-life products).
- Customers with SRA and/or SMA 100 series with 9.x and 10.x firmware should continue to follow best practices such as update to the latest available SMA firmware or update to the latest SRA firmware, and enable multifactor authentication MFA.
IMPACT
Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack.
RESOLUTION
Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below.
- SRA 4600/1600 (EOL 2019)
- Disconnect immediately
- Reset passwords
- SRA 4200/1200 (EOL 2016)
- Disconnect immediately
- Reset passwords
- SSL-VPN 200/2000/400 (EOL 2013/2014)
- Disconnect immediately
- Reset passwords
- SMA 400/200 (Still Supported, in Limited Retirement Mode)
- Update to 10.2.0.7-34 or 9.0.0.10 immediately
- Reset passwords
- Enable MFA
While not part of this campaign targeting SRA/SMA firmware 8.x, customers with the following products should also ensure that they’re on the latest version of firmware to mitigate vulnerabilities discovered in early 2021.
- SMA 210/410/500v (Actively Supported)
- Firmware 9.x should immediately update to 9.0.0.10-28sv or later
- Firmware 10.x should immediately update to 10.2.0.7-34sv or later
IMPORTANT: If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation.
MITIGATION
The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk.
To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, we’re providing a complimentary virtual SMA 500v until October 31, 2021. This should provide sufficient time to transition to a product that is actively maintained.
- This unlimited user SMA 500v will be pre-registered for customers with 8.X firmware whose devices do not support Firmware 9.x or 10.x. The SMA 500v will show up in the mysonicwall.com account under the name “SMA_SRA8X_Migration_500v”
- This SMA500v will come without phone support. Therefore, please refer questions to the SonicWall communities thread found on the SonicWall Community SMA Thread
- For guidance, please reference the following deployment guides:
As additional mitigation, you should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials. As always, we strongly recommend enabling multifactor authentication (MFA).
SonicWall would like to thank Mandiant and their team of threat researchers for collaboration on this subject.