- SonicWall warns about ransomware actors targeting EOL SRA and SMA devices.
- The company advises all administrators to update to the latest available firmware version.
- Devices that are no longer supported and didn’t receive a fixing patch should be replaced by new ones.
SonicWall, the California-based network security and network appliance company, has released an urgent security notice to inform its customers about a newly arisen danger of using unpatched EOL (end of life) SRA (Secure Remote Access) and SMA (Secure Mobile Access) devices. According to the notice, SonicWall has been made aware of threat actors actively targeting these devices, so hackers are already at it. Unfortunately, ransomware actors using stolen credentials are also mentioned in the report, so patching these devices should be considered an emergency.
The affected products, legacy SRA and SMA devices, are those that run firmware 8.x, so updating to 9.x or 10.x should resolve the problem. If that’s impossible, disconnect the appliance immediately until a patching plan has been developed. Additionally, resetting all passwords and enabling MFA (multi-factor authentication) where possible should be a standard practice to follow.
The actively targeted products are the following:
- SRA 4600/1600 (EOL 2019)
- SRA 4200/1200 (EOL 2016)
- SSL-VPN 200/2000/400 (EOL 2013/2014)
- SMA 400/200/100 (Limited Retirement Status)
Obviously, since some of these devices have reached EOL over five years ago, there’s no available update to firmware 9.x for them, so the only solution would be to replace them with newer devices. SonicWall isn’t abandoning that special category of users, though, and will provide a complimentary virtual SMA 500v until October 31, 2021, which should give clients enough time for a smooth transition.
John Mancini, Data Scientist at Vectra, tells us:
Teams are being asked to continue to use legacy solutions while deploying new infrastructure to support enterprise growth. Ransomware groups are aware of these challenges and identifying exploitable targets in unpatched or no-longer supported infrastructure that can be reused to orchestrate repeatable attacks. When an attacker group is able to identify one vulnerability that is reproducible and easy to exploit, they will look to leverage that exploit opportunistically everywhere they can.
Back in January, SonicWall had a security lapse as highly sophisticated actors managed to infiltrate its internal systems using zero-days against its products. Although the company released patches to prevent this from happening again, a series of subsequent hacking incidents that followed in the next months spread fear that ransomware actors had found a way to bypass the fixes. This latest notice could be a continuation of the same problem that started months ago.