SonicWall warns of 'imminent' SMA 100/SRA ransomware attacks
SonicWall said that those who fail to update or disconnect their vulnerable SMA 100 and SRA devices are 'at imminent risk of a targeted ransomware attack.'
An "imminent ransomware campaign" will be impacting SonicWall's Secure Mobile Access 100 series and Secure Remote Access products, according to a security advisory from the vendor.
SonicWall, a security vendor known for firewall and access offerings, published a security advisory Wednesday for unpatched and end-of-life (EOL) 8.x firmware versions of its SMA 100 and SRA devices. According to the vendor, threat actors are "actively targeting" and exploiting a known vulnerability in an "imminent ransomware campaign" using stolen credentials. The advisory doesn't identify the vulnerability.
"Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack," the advisory read.
Customers are advised to update or disconnect their impacted devices immediately. For those with devices past EOL status, SonicWall warned that "continued use may result in ransomware exploitation."
Impacted devices include SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016), SSL-VPN 200/2000/400 (EOL 2013/2014) and SMA 400/200, supported in "Limited Retirement Mode." SonicWall also recommends customers using SMA 210/410/500v update due to vulnerabilities found earlier this year.
Many details about the vulnerability, threat actor, attacker and exploitation remain unclear. SonicWall published an advisory Tuesday on an SQL injection vulnerability impacting SMA and SRA devices on Tuesday, but this vulnerability is not listed on the advisory page. It also has no listed CVE designation, though the page lists the CVSS score as 9.8, which is critical.
SearchSecurity asked SonicWall what the known vulnerability was, as well as additional details about the nature of the threat. A SonicWall spokesperson responded with the following statement:
"Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance," the statement read.
It continued, "Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk."
The researchers credited on the SQL injection vulnerability are Heather Smith and Hanno Heinrichs of CrowdStrike. The researchers published a CrowdStrike blog last month discussing their work on an older SonicWall vulnerability, CVE-2019-7481. That CVE carries a base score of 7.5, which is high severity.
Smith tweeted yesterday that the threat actors behind the current ransomware campaign are utilizing CVE-2019-7481, which also affects SMA and SRA devices. It's unclear if the newer SQL injection vulnerability is also being exploited by threat actors.
CrowdStrike told SearchSecurity they are "still looking into this," but can attribute the newly disclosed attacks to "multiple eCrime actors."
SonicWall has had a number of significant vulnerabilities this year, including a breach involving a zero-day back in January and three more zero-days exploited in April.
Alexander Culafi is a writer, journalist and podcaster based in Boston.