SonicWall has issued an “urgent security notice” warning customers of ransomware attacks targeting unpatched end-of-life (EoL) Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials,” the company said.

According to SonicWall, the attacks target a known vulnerability patched in newer versions of firmware, and they do not impact SMA 1000 series products.

“Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack,” SonicWall warns.

Disconnect or update affected devices

Companies still using EoL SMA and/or SRA devices with 8.x firmware are urged to update the firmware immediately or disconnect the appliances as soon as possible to fend off the critical risk of ransomware attacks.

Customers using actively supported SMA 210/410/500v devices with the vulnerable 8.x firmware targeted in these attacks are also advised to immediately update to the latest version, which mitigates vulnerabilities discovered in early 2021.

“As additional mitigation, you should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials,” SonicWall adds. “As always, we strongly recommend enabling multifactor authentication (MFA).”

A SonicWall spokesperson was not available for comment when BleepingComputer reached out earlier today.

Depending on the product they use, SonicWall recommends organizations to:

  • SRA 4600/1600 (EOL 2019)
    • Disconnect immediately 
    • Reset passwords
  • SRA 4200/1200 (EOL 2016)
    • Disconnect immediately
    • Reset passwords
  • SSL-VPN 200/2000/400 (EOL 2013/2014)
    • Disconnect immediately
    • Reset passwords
  • SMA 400/200 (Still Supported, in Limited Retirement Mode)
    • Update to or immediately
    • Reset passwords
    • Enable MFA

SonicWall devices previously targeted by ransomware

In April, threat actors also exploited a zero-day bug in SonicWall SMA 100 Series VPN appliances to deploy a new ransomware strain known as FiveHands on the networks of North American and European targets.

This threat group, tracked by Mandiant as UNC2447, exploited the CVE-2021-20016 SonicWall vulnerability to breach systems and deliver FiveHands ransomware payloads before SonicWall released patches in late February 2021.

The same zero-day was also abused in attacks targeting SonicWall’s internal systems in January and later exploited indiscriminately in the wild.

In March, Mandiant threat analysts discovered three more zero-day vulnerabilities in SonicWall’s on-premises and hosted Email Security (ES) products.

These zero-days were also actively exploited by a group tracked as UNC2682 to backdoor systems using BEHINDER web shells, allowing them to move laterally through victims’ networks and gain access to emails and files.