SonicWall warns of 'imminent ransomware campaign' targeting its EOL equipment

Networking equipment vendor SonicWall has released an urgent security alert to its customers to warn companies of "an imminent ransomware campaign" targeting some of its equipment.

Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials.

SonicWall product notification on 07/14/2021

While SonicWall did not The company, which also operates a cybersecurity division, said the attackers are targeting an old vulnerability that has been fixed in recent versions of its firmware.

SonicWall is now urging customers to update their devices' firmware as soon as possible if a new firmware version is available.

"If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation," the company warned.

If customers can't update, SonicWall is recommending that they disconnect devices immediately and reset their access passwords, and enable account multi-factor authentication, if supported.

"The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk," it added.

Based on what type of SonicWall equipment companies are using, SonicWall has made the following recommendations:

• SRA 4600/1600 (EOL 2019)
  • Disconnect immediately 
  • Reset passwords
• SRA 4200/1200 (EOL 2016)
  • Disconnect immediately
  • Reset passwords
• SSL-VPN 200/2000/400 (EOL 2013/2014)
  • Disconnect immediately 
  • Reset passwords
• SMA 400/200 (Still Supported, in Limited Retirement Mode)
  • Update to 10.2.0.7-34 or 9.0.0.10 immediately
  • Reset passwords
  • Enable MFA

SonicWall has also warned customers of SMA 210/410/500v devices, which are still under active support, to also update their devices to 9.x or 10.x firmware versions and not run the older 8.x firmware, as they could also be attacked and ransomed, even if the device is not EOL.

Today's SonicWall alert about the current equipment exploitation and impending ransomware attacks are the fourth major hacking operation aimed at the company's products discovered this year.

In late January 2021, the company previously disclosed that it was itself hacked using a zero-day in its Secure Mobile Access (SMA) gateways. A week later, security firm NCC Group detected threat actors exploiting a mysterious SonicWall zero-day in its SMA devices. At the time, SonicWall wasn't even able to tell if the two zero-days were the same, as pointed out by infosec podcast Risky Business.

In April, FireEye discovered that a hacking group was using three SonicWall zero-days to breach corporate networks.

In June, Crowdstrike warned that ransomware gangs had found a way to bypass patches for CVE-2019-7481 to breach corporate networks and deploy ransomware payloads such as Darkside, FiveHands, and HelloKitty.

UPDATE: After this article went live, Heather Smith, the CrowdStrike security researcher behind the June report, told The Record via Twitter that today's SonicWall advisory is referring to the vulnerability detailed in her report last month, which is still being actively exploited.

Bill Siegel, founder and CEO of security firm Coveware, also confirmed via Twitter that the attacks SonicWall reported today against its EOL devices have actually been "ongoing," and are not "imminent."

In light of these two post-publication revelations, SonicWall device owners now have more info about the attacks, and are advised to heed SonicWall's advice and patch or disconnect unsafe/targeted devices.