SonicWall Urges Patching of Devices to Ward Off RansomwareVendor Issues Urgent Security Notice in Light of Ongoing Threat
SonicWall is urging users of its Secure Mobile Access 100 series and its Secure Remote Access products running unpatched and end-of-life 8.x firmware to immediately apply patches or disconnect the devices because a ransomware campaign using stolen credentials is targeting them.
"Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack," the company stresses.
FireEye Mandiant reported in April that a cyberthreat gang exploited a now-patched zero-day vulnerability in the SonicWall SMA 100 Series appliance to plant ransomware during attacks launched earlier this year.
The group, which FireEye calls UNC2447, exploited CVE-2021-20016 to install the Sombrat backdoor and then a new ransomware variant the researchers dubbed "Fivehands." The gang encrypted and exfiltrated data, demanding a ransom in return for a decryptor and for refraining from exposing or selling the data, FireEye reported.
SonicWall warns organizations using the SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016), SSL-VPN 200/2000/400 (EOL 2013/2014), SMA 400/200 and SMA 210/410/500v devices running firmware 8.x to either update their firmware or disconnect their appliances as per company guidance.
SonicWall says its SMA 1000 series products do not face the ransomware threat. It recommends customers with SRA and/or SMA 100 series devices with 9.x and 10.x firmware to continue to follow best practices, such as updating to the latest available firmware and enabling multifactor authentication.
"If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation," the company notes.
The SonicWall Flaw
CVE-2021-20016 is an SQL injection vulnerability in SonicWall's SMA100 VPN that, if exploited, allows a remote unauthenticated attacker to perform an SQL query to access usernames, passwords and other session-related information. This vulnerability affects SMA100 build version 10.x, FireEye says.
"As a result of our collaboration with third-party analysts, SonicWall investigated, verified and patched the mentioned SMA 100 vulnerabilities in February 2021," SonicWall says. "This entire process, coupled with upgrade and mitigation guidance, was carefully and consistently communicated to our global partners and customers."
This flaw is unrelated to the three zero-day vulnerabilities in the hosted and on-premises versions of SonicWall's Email Security product that attackers began exploiting last month. The company has since patched those flaws (see: SonicWall Patches 3 Zero-Day Flaws).
Criminals are motivated to find an entry point into the enterprise, says Tim Wade, former security and technical manager for the U.S. Air Force and the technical director at security company Vectra AI.
"The bottom line is not that there is something exploitable that an adversary is targeting. … Enterprises must be prepared for maintaining resilience against the inevitability of their prevention and protection practices failing," Wade says. "As security practitioners, we’ll never prevent, patch and harden our way out of this problem - we must maintain effective visibility, have the capacity to detect and respond to an adversary’s beachhead, and expel them before material damage is done. If that isn’t our target, we aren’t winning."