Flash Notice: SonicWall Warns of Imminent Ransomware Attack Against EOL Products

Overview Details

SonicWall has released an urgent security bulletin to their customers using unpatched, end-of-life Secure Mobile Access 100 series and Secure Remote Access products. The company indicates that there is an imminent ransomware campaign using stolen credentials targeting these devices running 8.x firmware. Since these firmware versions are considered end-of-life and out of support by the vendor, temporary mitigations are not possible, and SonicWall is urging customers to take drastic measures to ensure they are protected against this imminent threat, including disconnecting the devices from the network entirely. SonicWall is proactively reaching out to customers known to be using EOL software versions and are providing a complimentary virtual SMA 500v to customers who are not able to immediately upgrade to a supported version.

Running EOL software is one of the most serious yet easily avoidable security risks. Especially for networking devices that are directly accessible over the internet, such as these SonicWall products, this is not a risk that organizations should accept. SonicWall has not yet released details or IOCs related to the imminent attack, however a zero-day in the company’s products was exploited earlier this year in April by an organization known as UNC2447, using the ransomware variant FiveHands.

Affected Versions and Guidance:

• SRA 4600/1600 (EOL 2019)
  • Disconnect immediately
  • Reset passwords
• SRA 4200/1200 (EOL 2016)
  • Disconnect immediately
  • Reset passwords
• SSL-VPN 200/2000/400 (EOL 2013/2014)
  • Disconnect immediately
  • Reset passwords
• SMA 400/200 (Still Supported, in Limited Retirement Mode)
  • Update to 10.2.0.7-34 or 9.0.0.10 immediately
  • Reset passwords
  • Enable MFA

How Avertium is Protecting Our Customers:

• Avertium will continue to monitor the situation and will deploy IOCs to our managed SIEM and
  EDR platforms as they become available
• Avertium offers consulting for risk management and 3 rd party risk monitoring solutions

References:

• https://www.sonicwall.com/support/product-notification/urgent-security-notice-critical-risk-to-unpatched-end-of-life-sra-sma-8-x-remote-access-devices/210713105333210/
• https://www.crn.com/news/security/sonicwall-imminent-risk-of-ransomware-attack
• https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-ransomware-risk-to-eol-sma-100-vpn-appliances/

This informed analysis is based on the latest data available.