Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware.

The notice is specifically for SMA 100 and the older SRA series, and does not affect SMA 1000 series products. Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and/or SMA 100 series with 9.x and 10.x firmware should continue to follow best practices such as update to the latest available SMA firmware or update to the latest SRA firmware and enable multifactor authentication MFA.

 “The bottom line is not that there is something exploitable that an adversary is targeting, the bottom line is that enterprises must be prepared for maintaining resilience against the inevitability of their prevention and protection practices failing,” says Tim Wade, Technical Director, CTO Team at Vectra. “As security practitioners, we’ll never prevent, patch, and harden our way out of this problem – we must maintain effective visibility, have the capacity to detect and response to an adversary’s beachhead, and expel them before material damage is done.  If that isn’t our target, we aren’t winning.”

Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA series products are at imminent risk of a targeted ransomware attack. Organizations using end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances.

Alec Alvarado, Threat Intelligence Team Lead at Digital Shadows explains this shows how ransomware actors continue to identify the path of least resistance. “The targeting of end-of-life (EoL) products is a proven and effective technique for extortion actors. Examples include the targeting of Accellion’s FTA, which was on its way out at the point of exploitation but resulted in a significant fallout after the Cl0p ransomware group obtained data belonging to Accellion’s customers through a vulnerability. Furthermore, the targeting of EoL products serves as a reminder of the importance of maintaining accountability of technologies both old and new. The ever-expanding attack surface continues to lower the barrier of entry, especially when organizations struggle to accomplish basic security principles and patching requirements. Threat actors are not interested in reinventing the wheel through an elaborate vulnerability, and why would they be when they can accomplish their goals through easier means.”

“If a vendor is telling you that there’s a threat, you should probably take them seriously and act immediately. Like your house is on fire…act now type of emergency. These events continue to highlight the need for lifecycle management, patch management, and privileged access management,” says AJ King, Chief Information Security Officer at BreachQuest. “None of these processes are sexy. They’re monotonous, never ending tasks that are fundamental to a security program. They take spend on technology, on people and vendors to implement and maintain, and are not quick fixes. Companies that have the foresight to spend wisely vs on the next gen, AI driven, machine learning capable blinky box are the ones that will weather the storm. Firms that are too cheap or arrogant will find themselves paying a ransom, and then still having to spend the money to fix that which they ignored in the first place.”

UPDATE: SonicWall contacted Security magazine and provided the following official statement:

"Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021. SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance. Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats. The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk."