Ransomware attacks target unpatched EOL SonicWall SMA 100 VPN Appliances. Sonicwall, a networking equipment maker alerted its customers about the latest ransomware campaign. It targets the Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware.
Earlier last month reports pointing towards the remote access vulnerabilities in Sonicwall SRA 4600 VPN appliances(CVE-2019-7481) were reported. It enabled bad actors to exploit an initial access vector for ransomware attacks to breach corporate networks worldwide.
According to Sonicwall, “SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.”
Sonicwall also made it clear, the SMA 1000 series products are not affected by the flaw. Businesses have been asked to take immediate action either by updating to the latest firmware, turning on multi-factor authentication, or disconnecting the appliances that are past end-of-life status and cannot be updated to 9.x firmware.
The company also cautioned its customers to terminate using affected end-of-life devices with 8.x firmware that has past temporary mitigation as it may be an active security risk.
Further Sonicwall has recommended its customers reset all passwords associated with the SMA or SRA device and also other devices or systems that may be using the same credentials.
Sonicwall devices have emerged as a lucrative attack vector, threat actors have managed to exploit the flaws to drop malware, creating a huge problem since the last few months.
According to FireEye Mandiant, earlier in April hacking group dubbed as UNC2447 was using a then-zero-day flaw in SonicWall VPN appliances (CVE-2021-20016) prior to it being patched by the company. The bad actors managed to deploy a new strain of ransomware called FIVEHANDS on the networks of North American and European entities.