The following Advisory has been published:

On Wednesday, 14th July 2021, SonicWall issued an urgent security notice relating to critical risks associated with two of its remote access devices. SonicWall states that Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware are being actively targeted in a ransomware campaign using stolen credentials.

Our security partner Dell Secureworks is aware that a threat group known to deploy ransomware exploited a zero-day SonicWall vulnerability before it was patched in February 2021. SonicWall does not define the specific vulnerability exploited in this campaign, nor do they mention the ransomware family involved. However researchers deem the threat as outlined in the security notice highly credible, and customers using the affected products in their environments could be at imminent risk from a ransomware attack.

Recommended actions:

SonicWall has provided guidance on how to mitigate the risk from the known vulnerability in each of the listed devices and states that the mitigations should be implemented immediately.

Customers using the following devices should disconnect them and reset user passwords:

• SRA 4600/1600 (EOL 2019)
• SRA 4200/1200 (EOL 2016)
• SSL-VPN 200/2000/400 (EOL 2013/2014)

Customers using the following device should update the firmware per the guidance, reset user passwords, and enable multi-factor authentication (MFA):

• SMA 400/200 (still supported in limited retirement mode)

Customers using the affected devices should monitor their environment for any signs of pre-ransomware activity.

Researchers are assessing the available data to understand the full scale of this threat and how it might manifest in customer environments.

Questions:

If you have any questions or concerns about this advisory, please contact the team on support@empsn.org.uk